Dark Angels Ransomware Gets Record Breaking Ransom Payment
Written by Karolis Liucveikis on
A recent report by Zscaler revealed that the Dark Angels ransomware gang received a record-breaking 75 million USD ransom payment from a Fortune 50 company.
The report stated,
In early 2024, ThreatLabz uncovered a victim who paid Dark Angels $75 million, higher than any publicly known amount—an achievement that’s bound to attract the interest of other attackers looking to replicate such success by adopting their key tactics
The record-breaking payment has been confirmed by cryptocurrency analysis firm Chainalysis via a Twitter post that read,
We can confirm that early this year we saw the largest ransomware payment ever at $75M. The "big game hunting" trend we discussed in our 2024 crime report – fewer attacks on larger targets with deeper pockets – is becoming more pronounced…
Neither Zscaler nor Chainalysis has described who the Fortune 50 company is. Bleeping Computer noted that in February 2024, pharmaceutical giant Cencora suffered a cyberattack.
Interestingly, no ransomware gang ever claimed responsibility for the attack, potentially indicating that a ransom was paid. Labelling Cencora as the victim of the attack by Dark Angels and the massive amount received as a ransom is speculation at this point, despite coincidences in the timing of events.
The Dark Angels ransomware gang emerged in May 2022 and has managed to remain under the radar. They target various industries, including healthcare, government, finance, and education. More recently, they have been observed launching attacks against large industrial, technology, and telecommunication companies.
The ransomware gang follows a highly targeted approach to victim selection and compromise. The gang will also electively decide whether to encrypt the company's files. It would seem that the gang's first focus is to steal vast amounts of data, typically up to 10 TB worth of victim files.
However, larger enterprises can have up to 100 TB stolen in an attack by Dark Angels. This can take days or weeks to transfer, suggesting that the gang is incredibly stealthy when it comes to data exfiltration.
In summarizing Dark Angels operations till now, Zscaler notes,
The highest-profile attack conducted by Dark Angels was in September 2023, when the group breached an international conglomerate that provides solutions for building automation systems among other services. Dark Angels demanded a $51 million ransom, claimed to have stolen over 27 TB of corporate data, and encrypted the company’s VMware ESXi virtual machines.
This publication recently published an article on how other ransomware gangs actively target ESXi virtual machines. One reason is the reliance of large enterprises on deploying virtual machines for a wide variety of tasks.
The technology is very convenient, but care must be taken to harden virtual machines, as many security software solutions have no visibility when it comes to these parts of the infrastructure.
Dark Angels has been known to deploy the Ragnar Locker ransomware in previous attacks to encrypt victim data and machines. Earlier attacks by the ransomware gang would use Babuk to encrypt data but then switched to Ragnar Locker.
Zscaler concluded that the gang's targeting a few high-value companies for large payouts is a trend worth monitoring. There is a risk that other ransomware gangs will adopt similar tactics, seeing how successfully Dark Angels has implemented its ransomware tactics.
Evolving Ransomware Landscape
Also included in Zscaler's report were their views on ransomware's short to medium-term future. Researchers believe more ransomware gangs will adopt Dark Angels' highly targeted approach. There are two advantages to this approach.
The first is that it naturally reduces scrutiny from law enforcement and the security industry as a whole. Secondly, it allows threat actors to focus on targeting high-value targets where high ransoms can be demanded and large amounts of sensitive data can be exfiltrated.
Another possible emerging trend is attacks that look to exfiltrate large amounts of data without the need for the deployment of encryption malware. Dark Angels is certainly a front-runner in this technique's adoption but has been seen in other attacks dating back to 2022.
Threat actors will focus on exfiltrating data without encrypting systems. The approach allows quicker, more opportunistic operations that capitalize on the fear of releasing sensitive data. This is done to further coerce victims into paying ransom.
Another tactic that demands increased attention from those defending IT infrastructure is the use of voice-based social engineering. Zscaler has seen an increase in threat actors who specialize in gaining initial access to targets utilizing voice-based, sometimes referred to as vishing, social engineering attacks to deceive individuals into granting access to corporate IT infrastructure.
There has also been an increase in threat actors using generative AI to create more convincing spam emails and voice cloning to impersonate staff to gain privileged access. Adopting such technology will make ransomware attacks far harder to detect in the near future.
▼ Show Discussion