The Dark Angels ransomware group, active since April 2022, operates with sophisticated strategies targeting large companies for substantial ransom demands. They focus on stealthy attacks, avoiding outsourcing to third-party brokers. The group uses various ransomware payloads, including Babuk and Read the Manual (RTM) Locker for Windows, and a RagnarLocker variant for Linux/ESXi systems. Dark Angels emphasizes data theft over file encryption, often demanding payment to prevent data leaks. Their tactics include network infiltration, lateral movement, and selective ransomware deployment based on potential business disruption. The group has claimed a record $75 million ransom payment and operates a data leak site called Dunghill Leak.