The Dunghill Leak operation made itself known in mid-April 2023. However, based on the creation time of their Telegram page, they began this specific operation in January of the same year. All of their double extortions are posted to this Telegram before being mirrored to their dark web page. Most ransomware threat actors name themselves after their encryptor or data leak site. However, Dunghill Leak is operated by a ransomware group that calls themselves Dark Angels Team. This is the same group that operated the self-named Dark Angels data leak site in 2022. How they came up with the name Dunghill Leak is unknown.
Since switching to the Dunghill Leak name, they've breached large organizations. Public reporting and their data leak site show that they breached Sysco Corporation in late Spring 2023. In September of the same year, they allegedly breached Sabre Corporation and Johnson Controls International. The outcome of those alleged breaches is unknown, but it has been reported that they demand multi-million-dollar ransoms. This amount probably varies depending on the cyber insurance of the victim, which Dark Angels Team is known to elicit or steal upon breaches.
Regarding the technical attributes of their encryptors, the cybergroup initially leveraged the stolen Babuk source code to create their own encryptor. This was during the time of the Dark Angels data leak site. They forked the Babuk code from GitHub and slightly tailored it to their needs. However, they also have been observed using a tailored version of Ragnar Locker (ESXi version). Meanwhile, the operators themselves claim that they have created their own encryptor. The only official sample we have collected is the Ragnar Locker variant reported by @MalGamy12. Thus, the encryption information is from that sample too.
Note: We added Johnson Controls as a victim to Dunghill Leak even though they were never posted by the Dark Angels Team. However, it was the Dark Angels Team that was responsible for the ransomware attack on Johnson Controls. As such, we have posted that entry here.
Known Victims(14)
| Industry Sector | Country | Extortion Date | Amount (USD) |
|---|---|---|---|
| Construction & Architecture | Brazil | ||
| Construction & Architecture | Portugal | ||
| Sports & Gaming | United States | ||
| Automotive | United States | ||
| Food & Beverage | United States | ||
| Information Technology | United States | ||
| Manufacturing | Ireland | $51,000,000 | |
| Information Technology | United States | ||
| Information Technology | United States | ||
| Transportation | United Kingdom | ||
| Construction & Architecture | United States | ||
| Construction & Architecture | United States | ||
| Distribution & Logistics | United States | ||
| Information Technology | United States |