Cybercriminals are increasingly moving toward larger victims. Such is the case with Dark Angels, the ransomware group that extracted the largest ransom payment ever from a victim by a huge margin: $75 million.
Dark Angels emerged in May 2022, but remained under the radar for a long time despite carrying out large attacks. The reason for it is pretty straightforward: a ransomware organization such as LockBit creates a lot of victims for relatively low amounts of money, meaning it gets lots of publicity due to its spread but fewer major payouts. Dark Angels, on the other hand, opts for “Big Game Hunting”, targeting a single organization for a longer period of time.
That strategy is proving successful. Blockchain watcher Chainalysis confirms the authenticity of the largest ransomware payment having taken place. $75 million, equivalent to nearly 70 million euros, in the form of cryptocurrency was transferred to Dark Angels for this single infiltration. That is nearly double the previous record of $40 million paid by CNA Financial to Phoenix Locker in 2021.
The victim is unknown, but it is said to be a Fortune 50 company; BleepingComputer suggests it may be Cencora. This pharmaceutical company suffered a cyberattack in February of this year that went unclaimed. At the time, Cencora admitted to suffering a loss of date. It was already the second time in a short time that the pharmaceutical giant had been targeted by cybercriminals, as it was also hit in February 2023.
Weeks of preparation
By April, researchers at Zscaler Threat Labz had the Dark Angels group well and truly in their sights. According to them, it’s the number one ransomware family to watch for. The collective is partly a resurrection of the groups behind Babuk and Ragnar Locker. A variant of the former, among others, was taken down in January, while Ragnar Locker lost control of its own leak sites at the hands of authorities back in October 2023.
Dark Angels, however, has remained out of harm’s way for the time being. It regularly steals terabytes of data, sometimes as much as 100 TB when it’s hitting large companies. Just exfiltrating this amount of data takes days to weeks. Only after this data exfiltration is complete does encryption of the affected organization’s systems take place. It also manages the Dunghull leak site on the darkweb. The Dutch company Nexperia also ended up on this website after being hit by Dark Angels.
The group does not shy away from demanding huge ransom amounts. It previously sought $51 million from Johnson Controls, manufacturer of industrial tools. That company seems not to have acceded to this demand in September 2023, but the incident did cost it about $27 million in one quarter. There is a chance that the total damages will be similar to the amount claimed.
Suction effect
Negotiations between ransomware criminals and organizations are extremely dubious. While it is (still) legal, it is strongly discouraged by governments worldwide. A “successful” transaction yields the return of stolen data and the promise that the data has been removed from the cybercriminals’ servers. Neither can be guaranteed: for example, WannaCry was known to do nothing in return if victims paid.
These days, cybercriminals rely on a certain reputation when extorting money. A proven track record showing that it delivers on questionable promises is essential. For Dark Angels, that seems to be true.
The successful attack may well be a draw for other malicious actors. The trend of “Big Game” “hunts,” or hitting large organizations, has been going on since early 2022, at the same time as the rise of Dark Angels. In addition, healthcare has only become a more popular target, according to Zscaler Threat Labz. The sensitive data, high compliance requirements, backlogged IT infrastructure and typically large workforce make the attack surface and potential value enormous. However, the manufacturing industry still has by far the biggest impact from ransomware, according to Zscaler.
Also read: Leak in VMware gave hackers full access to ESXi hypervisors