A Fortune 50 company has reportedly paid a record-breaking $75 million ransom to the Dark Angels ransomware gang, according to Zscaler ThreatLabz.
This payment surpasses the previous record of $40 million, paid by insurance giant CNA after an Evil Corp ransomware attack.
The Dark Angels Attack and Its Aftermath
In early 2024, Zscaler ThreatLabz identified a victim who had paid the hefty ransom to Dark Angels, marking the highest publicly known ransom amount to date. This incident, detailed in the 2024 Zscaler Ransomware Report, is expected to draw the attention of other cybercriminals eager to emulate Dark Angels’ success by adopting their key tactics.
Further confirmation of this payment came from crypto intelligence firm Chainalysis, which shared the information in a tweet. Despite the massive payout, Zscaler did not disclose the specific company involved, only noting that it was a Fortune 50 firm.
Pharmaceutical giant Cencora, ranked #10 on the Fortune 50 list, experienced a cyberattack in February 2024. No ransomware group claimed responsibility for this attack, suggesting a ransom may have been paid. BleepingComputer reached out to Cencora for comments regarding a possible ransom payment to Dark Angels but has yet to receive a response.
Dark Angels Group: A Rising Threat
Launched in May 2022, Dark Angels quickly made a name for itself by targeting companies globally. Operating like many human-operated ransomware gangs, Dark Angels breaches corporate networks, moves laterally to gain administrative access, and steals data from compromised servers. This stolen data serves as additional leverage for their ransom demands.
Initially, Dark Angels used Windows and VMware ESXi encryptors based on Babuk ransomware’s leaked source code. Over time, they transitioned to a Linux encryptor, previously used by Ragnar Locker before law enforcement disrupted it in 2023. This encryptor was notably employed in an attack on Johnson Controls, where Dark Angels claimed to have stolen 27 TB of data and demanded $51 million.
Tactics and Operations
Dark Angels distinguishes itself through a strategy known as “Big Game Hunting,” targeting a few high-value companies rather than numerous smaller ones. This approach aims for massive payouts from single, large-scale attacks.
“The Dark Angels group employs a highly targeted approach, typically attacking a single large company at a time,” explain Zscaler ThreatLabz researchers. This contrasts with most ransomware groups that target victims indiscriminately and rely on affiliate networks of initial access brokers and penetration testing teams.
Dark Angels also operates a data leak site named ‘Dunghill Leaks,’ where they threaten to publish stolen data if their ransom demands are not met. This method of extortion increases pressure on the victims to comply.
“Big Game Hunting” a Growing Trend
According to Chainalysis, the Big Game Hunting tactic has become increasingly popular among ransomware gangs in recent years. The record-breaking ransom payment to Dark Angels is likely to reinforce this trend, encouraging other cybercriminals to adopt similar methods in hopes of achieving comparable success.
As ransomware attacks continue to evolve and escalate, the incident involving Dark Angels serves as a stark reminder of the growing threat posed by sophisticated cybercriminal organizations. Companies must remain vigilant, investing in robust cybersecurity measures to protect against such high-stakes attacks.
More from the Report: Top Ransomware Families
Zscaler’ report also highlights the most active ransomware groups over the past year, with LockBit leading at 22.1% of attacks, followed by BlackCat (9.2%) and 8Base (7.9%).
New ransomware groups have also emerged, including RAworld, Abyss, Dark Angels, and RansomHub, with each starting to publish data on leak sites as part of their extortion tactics. Figure 9 provides a timeline of these new groups’ activities.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: