Dark Angels

A Fortune 50 company paid a record-breaking $75 million ransom payment to the Dark Angels ransomware gang, according to a report by Zscaler ThreatLabz.

“In early 2024, ThreatLabz uncovered a victim who paid Dark Angels $75 million, higher than any publicly known amount— an achievement that’s bound to attract the interest of other attackers looking to replicate such success by adopting their key tactics (which we describe below),” reads the 2024 Zscaler Ransomware Report.

This record-breaking payment was further confirmed by crypto intelligence company Chainalysis, who tweeted about it on X.

Chainalysis tweet

The largest known ransom payment was previously $40 million, which insurance giant CNA paid after suffering an Evil Corp ransomware attack.

While Zscaler did not share what company paid the $75 million ransom, they mentioned the company was in the Fortune 50 and the attack occurred in early 2024.

One Fortune 50 company that suffered a cyberattack in February 2024 is pharmaceutical giant Cencora, ranked #10 on the list. No ransomware gang ever claimed responsibility for the attack, potentially indicating that a ransom was paid.

BleepingComputer contacted Cencora to ask if they paid the ransom to Dark Angels but has not heard back yet.

Who is Dark Angels

Dark Angels is a ransomware operation launched in May 2022 when it began targeting companies worldwide.

Like most human-operated ransomware gangs, Dark Angels operators breach corporate networks and move laterally until they eventually gain administrative access. During this time, they also steal data from compromised servers, which is later used as additional leverage when making ransom demands.

When they gain access to the Windows domain controller, the threat actors deploy the ransomware to encrypt all devices on the network.

When the threat actors launched their operation, they used Windows and VMware ESXi encryptors based on the leaked source code for the Babuk ransomware.

However, over time, they switched to a Linux encryptor that was the same one used by Ragnar Locker since 2021. Ragnar Locker was disrupted by law enforcement in 2023.

This Linux encryptor was used in a Dark Angels attack on Johnson Controls to encrypt the company’s VMware ESXi servers.

In this attack, Dark Angels claimed to have stolen 27 TB of corporate data and demanded a $51 million ransom payment.

Dark Angels ransom note
Dark Angels ransom note
Source: BleepingComputer

The threat actors also operate a data leak site named ‘Dunghill Leaks’ that is used to extort its victims, threatening to leak data if a ransom is not paid.

Dark Angel's 'Dunghill' Leaks data leak site
Dark Angel’s ‘Dunghill’ Leaks data leak site
Source: BleepingComputer

Zscaler ThreatLabz says that Dark Angels utilizes the “Big Game Hunting” strategy, which is to target only a few high-value companies in the hopes of massive payouts rather than many companies at once for numerous but smaller ransom payments.

“The Dark Angels group employs a highly targeted approach, typically attacking a single large company at a time,” explains the Zscaler ThreatLabz researchers.

“This is in stark contrast to most ransomware groups, which target victims indiscriminately and outsource most of the attack to affiliate networks of initial access brokers and penetration testing teams.”

According to Chainalysis, the Big Game Hunting tactic has become a dominant trend utilized by numerous ransomware gangs over the past few years.


Source: www.bleepingcomputer.com