Ransomware - Dunghill Leak

Dunghill Leak (Active)
Decryptor Available

The Dunghill Leak operation made itself known in mid-April 2023. However, based on the creation time of their Telegram page, they began this specific operation in January of the same year. All of their double extortions are posted to this Telegram before being mirrored to their dark web page. Most ransomware threat actors name themselves after their encryptor or data leak site. However, Dunghill Leak is operated by a ransomware group that calls themselves Dark Angels Team. This is the same group that operated the self-named Dark Angels data leak site in 2022. How they came up with the name Dunghill Leak is unknown.

Since switching to the Dunghill Leak name, they've breached large organizations. Public reporting and their data leak site show that they breached Sysco Corporation in late Spring 2023. In September of the same year, they allegedly breached Sabre Corporation and Johnson Controls International. The outcome of those alleged breaches is unknown, but it has been reported that they demand multi-million-dollar ransoms. This amount probably varies depending on the cyber insurance of the victim, which Dark Angels Team is known to elicit or steal upon breaches.

Regarding the technical attributes of their encryptors, the cybergroup initially leveraged the stolen Babuk source code to create their own encryptor. This was during the time of the Dark Angels data leak site. They forked the Babuk code from GitHub and slightly tailored it to their needs. However, they also have been observed using a tailored version of Ragnar Locker (ESXi version). Meanwhile, the operators themselves claim that they have created their own encryptor. The only official sample we have collected is the Ragnar Locker variant reported by @MalGamy12. Thus, the encryption information is from that sample too.

Note: We added Johnson Controls as a victim to Dunghill Leak even though they were never posted by the Dark Angels Team. However, it was the Dark Angels Team that was responsible for the ransomware attack on Johnson Controls. As such, we have posted that entry here.

Ransomware Type
Data Broker
First Seen
Threat Actors
Dark Angels Team
Extortion Types
Direct Extortion
Double Extortion
Elicit Cyber Insurance
Free Data Leaks
Unveil to Media
Victim Client Communication
Victim Employee Communication
Extortion Amounts
Samples (SHA-256)
Industry Sector Country Extortion Date Amount (USD)
Construction & Architecture Brazil
Construction & Architecture Portugal
Sports & Gaming United States
Automotive United States
Food & Beverage United States
Information Technology United States
Manufacturing Ireland $51,000,000
Information Technology United States
Information Technology United States
Transportation United Kingdom
Construction & Architecture United States
Construction & Architecture United States
Distribution & Logistics United States
Information Technology United States