2ND AUG 2024
A Fortune 50 company has reportedly paid a record-breaking $75 million ransom to the Dark Angels ransomware gang.
Zscaler's Ransomware Report 2024 states:
"In early 2024, ThreatLabz uncovered a victim who paid Dark Angels $75 million, higher than any publicly known amount—an achievement that's bound to attract the interest of other attackers looking to replicate such success by adopting their key tactics...."
We take a look at how the Dark Angels ransomware group managed to extort a record-breaking amount from its victims and what strategy they used to accomplish this cyber attack.
The unprecedented ransomware payment was further corroborated by the crypto intelligence firm Chainalysis, which posted about it on X.
Previously, the largest known ransom payment was $40 million, made by insurance giant CNA following an attack by the Evil Corp ransomware group.
While Zscaler did not disclose the identity of the company that paid the $75 million ransom, they confirmed that it is a Fortune 50 company and that the attack occurred in early 2024.
One potential victim is pharmaceutical giant Cencora, ranked #10 on the Fortune 50 list, which experienced a cyberattack in February 2024. No ransomware gang publicly claimed responsibility for this attack, potentially suggesting that a ransom was paid.
Dark Angels is a ransomware operation that emerged in May 2022, targeting companies globally. Like most human-operated ransomware groups, Dark Angels breaches corporate networks and moves laterally until they gain administrative access. During this process, they also exfiltrate data from compromised servers, which is then used as additional leverage when making ransom demands.
Once they gain access to a company's Windows domain controller, the attackers deploy ransomware to encrypt all devices on the network.
Initially, Dark Angels used Windows and VMware ESXi encryptors based on the leaked source code of the Babuk ransomware. However, over time, they transitioned to using a Linux encryptor, the same one employed by Ragnar Locker since 2021. Ragnar Locker was disrupted by law enforcement in 2023.
This Linux encryptor was notably used in a Dark Angels attack on Johnson Controls, during which the ransomware gang encrypted the company’s VMware ESXi servers. In this instance, Dark Angels claimed to have stolen 27 TB of corporate data and demanded a $51 million ransom.
Dark Angels Team Ransomware also operates a data leak site called 'Dunghill Leaks,' which is used to extort victims by threatening to publicly release stolen data if the ransom is not paid.
Zscaler ThreatLabz notes that Dark Angels utilizes a "Big Game Hunting" strategy, focusing on targeting a select few high-value companies with the potential for massive payouts, rather than targeting numerous smaller companies for smaller ransoms.
Blockchain data platform Chainalysis says that the Big Game Hunting tactic has become a dominant trend among ransomware gangs in recent years.
"The Dark Angels group employs a highly targeted approach, typically attacking a single large company at a time," explained Zscaler ThreatLabz researchers.
"This is in stark contrast to most ransomware groups, which target victims indiscriminately and outsource most of the attack to affiliate networks of initial access brokers and penetration testing teams."
Think you know ransomware? Take our ransomware quiz to find out how much you know!
