In an unprecedented move, a Fortune 50 company recently paid a staggering $75 million ransom to the cybercriminal group Dark Angels. This payment, made earlier this year, surpasses all previously confirmed ransom payments in history. The company, which remains anonymous, opted to settle the ransom demand rather than face prolonged disruption and data loss. This extraordinary payout was first documented in Zscaler's 2024 annual ransomware report and later corroborated by Chainalysis.
Previous High-Profile Ransom Payments
While hefty ransom payments are not new, this $75 million sum dwarfs previous high-profile cases. In 2021, CNA Financial reportedly paid $40 million, though the company never confirmed this figure. That same year, meat processing giant JBS paid $11 million to end a ransomware attack, and Caesars Palace settled a $15 million ransom to resolve their issues. These amounts, while significant, pale in comparison to the recent Dark Angels payout.
The Rise of Dark Angels
Dark Angels emerged on the scene in May 2022 and quickly made a name for itself by targeting fewer but more lucrative victims compared to other ransomware groups. The group has attacked several S&P 500 companies across various sectors, including healthcare, government, finance, education, manufacturing, and telecommunications.
One notable attack last year targeted Johnson Controls International (JCI), where Dark Angels breached the company's VMware ESXi hypervisors, froze them with Ragnar Locker, and exfiltrated 27 terabytes of data. The ransom demand in that instance was $51 million. While it remains unclear if JCI paid the ransom, the company's $27 million cleanup effort suggests a significant financial impact.
A Unique Approach to Ransomware
Dark Angels distinguishes itself from other ransomware groups by not operating a ransomware-as-a-service business model and not developing its own malware strains. Instead, it utilizes existing encryptors like Ragnar Locker and Babuk. The group's success is attributed to three main factors: targeting high-value victims, exfiltrating large amounts of sensitive data, and maintaining a low profile.
Brett Stone-Gross, senior director of threat intelligence at Zscaler, explained, "If you look at a lot of these other ransomware groups, their affiliates are stealing maybe a few hundred gigabytes of data. Sometimes even less than 100 gigabytes of data. They usually top out around, maybe, one terabyte or so. In contrast, Dark Angels are stealing tens of terabytes of data."
Dark Angels' strategy also includes avoiding encrypting data, allowing victims to continue operations without disruption. This approach reduces downtime costs for victims, making them more likely to pay the ransom quietly and quickly.
Implications for the Future
Zscaler's report predicts that other ransomware groups may adopt Dark Angels' tactics, focusing on high-value targets and significant data theft to maximize financial gains. This shift could lead to more substantial and more frequent ransom demands.
However, Dark Angels' method has a vulnerability. Stone-Gross noted, "If it's a terabyte of data, [a hacker] can probably complete that transfer in several days. But when you're talking terabytes — you know, tens of terabytes of data — now you're talking weeks." This prolonged data transfer period provides an opportunity for companies to detect and thwart the ransomware attack before the data exfiltration is complete.
As ransomware attacks continue to evolve, companies must remain vigilant and proactive in their cybersecurity measures. The record-breaking ransom paid to Dark Angels underscores the importance of robust defenses and rapid response strategies to mitigate the impact of such attacks.
Comments