A staggering $75 million ransom was paid by a Fortune 50 company to cyberattackers earlier this year, setting a new record for the largest confirmed ransom payment in history. The recipient of this massive payout is an organization known as Dark Angels. This astronomical sum far surpasses any previous ransom payments made, such as the reported $40 million that Illinois-based CNA Financial paid in 2021 or the $11 million that meat manufacturer JBS admitted to paying later that same year. Even the $15 million paid by Caesars Palace last year pales in comparison to the $75 million shelled out by the undisclosed Fortune 50 company, as revealed in Zscaler’s 2024 annual ransomware report and corroborated by Chainalysis.
Dark Angels emerged on the scene in May 2022, distinguished by its focus on targeting fewer but higher-value victims compared to other ransomware groups. The group has successfully infiltrated numerous prominent companies spanning across various sectors, including healthcare, government, finance, education, manufacturing, and telecommunications. One notable attack was carried out on Johnson Controls International (JCI), where Dark Angels breached the company’s VMware ESXi hypervisors, encrypted them with Ragnar Locker, and stole a reported 27 terabytes of data. Although the ransom demand was $51 million, it remains unclear how Johnson Controls responded, given the extensive cleanup efforts that reportedly cost over $27 million.
What sets Dark Angels apart is its unconventional approach to ransomware operations. Unlike many other groups, Dark Angels does not run a ransomware-as-a-service business or develop its own malware strains. Instead, the group relies on borrowing encryptors like Ragnar Locker and Babuk. Dark Angels’ success can be attributed to three primary factors: targeting high-value victims, exfiltrating large amounts of sensitive data, and maintaining a low profile to maximize returns on investment.
While most ransomware groups focus on encrypting victims’ data to induce payment through threats of downtime and media exposure, Dark Angels takes a different approach. The group often refrains from encrypting data, allowing victims to continue operations without disruption. This strategy not only streamlines the ransom payment process but also minimizes the financial impact on affected companies. By avoiding costly downtime, organizations have more resources available to meet Dark Angels’ demands.
Despite Dark Angels’ success, there are vulnerabilities in its modus operandi that could potentially be exploited by prevention measures. Zscaler’s report suggests that other ransomware groups may emulate Dark Angels’ tactics to target high-value victims and prioritize data theft for financial gain. However, Dark Angels’ Achilles’ heel lies in the time-consuming process of exfiltrating large volumes of data, providing a window of opportunity for targeted companies to detect and thwart their operations.
As the ransomware landscape continues to evolve, companies must remain vigilant and proactive in implementing robust cybersecurity measures to mitigate the risk of falling victim to sophisticated threat actors like Dark Angels. With the potential for ransom demands to escalate in both value and complexity, organizations must prioritize cybersecurity readiness to safeguard their data and operations against evolving cyber threats.