A Fortune 50 firm paid $75 million to its cyberattackers earlier this yr, significantly exceeding another confirmed ransom fee in historical past. The beneficiary of the payout is an outfit referred to as Darkish Angels. And Darkish Angels is not simply efficient — in some methods, the gang turns a lot of what we thought we knew about ransomware on its head.
Certain, there have been different large quantities forked over up to now: In 2021, Illinois-based CNA Monetary was reported to have paid a then unprecedented $40 million ransom with the intention to restore its techniques after a ransomware assault (the corporate by no means confirmed that determine). Later that yr, the meat producer JBS admitted to paying $11 million to finish a disruption affecting its factories. Caesars Palace final yr paid $15 million to make its ransomware disruption issues go away.
However these figures pale as compared in opposition to the $75 million in equal Bitcoin paid by the aforementioned giant group, which Zscaler selected to maintain nameless in its 2024 annual ransomware report, the place the payout was first recorded. The greenback quantity has additionally been corroborated by Chainalysis.
Meet the Darkish Angels
Darkish Angels first appeared within the wild in Could 2022. Ever since, its specialty has been defeating fewer however higher-value targets than its ransomware brethren. Previous victims have included a number of S&P 500 firms unfold throughout different industries: healthcare, authorities, finance, schooling, manufacturing, telecommunications, and extra.
For instance, there was its headline-grabbing assault on the megalith Johnson Controls Worldwide (JCI) final yr. It breached the corporate’s VMware ESXi hypervisors, freezing them with Ragnar Locker and stealing a reported 27 terabytes value of knowledge. The ransom demand: $51 million. It is unclear how Johnson Controls responded however, contemplating its $27 million-plus cleanup effort, it is doubtless that the corporate didn’t cave.
$27 million would have been the second-largest ransom fee in recorded historical past on the time (after the reported CNA fee). However there’s proof to counsel that this wasn’t just a few outlandish negotiating tactic — that Darkish Angels has good purpose to suppose it could actually pull off that type of haul.
Darkish Angels Does Ransomware Otherwise
Overlook every thing about ransomware, and you may begin to perceive Darkish Angels.
In opposition to the grain, the group doesn’t function a ransomware-as-a-service enterprise. Nor does it have its personal malware pressure — it prefers to borrow encryptors like Ragnar Locker and Babuk.
Its success as a substitute comes down to a few major components. First: the additional care it could actually take by attacking fewer, higher-yielding targets.
Second is its potential to exfiltrate gobs of delicate knowledge. As Brett Stone-Gross, senior director of risk intelligence at Zscaler explains, “In the event you take a look at numerous these different ransomware teams, their associates are stealing possibly a number of hundred gigabytes of knowledge. Typically even lower than 100 gigabytes of knowledge. They often high out round, possibly, one terabyte or so. In distinction, Darkish Angels are stealing tens of terabytes of knowledge.”
In that, Darkish Angels differs solely in diploma, not in type. The place it actually separates itself from different teams is in its subtlety. Its leak website is not flashy. It would not make grand pronouncements about its newest victims. In addition to the apparent operational safety advantages to stealth (it is largely escaped media scrutiny in recent times, regardless of pulling off main breaches), its aversion to the limelight additionally helps it earn bigger returns on funding.
For instance, the group typically avoids encrypting victims’ knowledge, with the specific function of permitting them to proceed to function with out disruption. This appears to defy widespread knowledge. Certainly the specter of downtime and media scrutiny are efficient instruments to get victims to pay up?
“You’d suppose that, however the outcomes say in any other case,” Stone-Gross suggests.
Darkish Angels makes paying one’s ransom simple and quiet — a horny prospect for firms that simply need to put their breaches behind them. And avoiding enterprise disruption is mutually useful: With out the steep payments related to downtime, firms have extra money to pay Darkish Angels.
Can Darkish Angels’ Wings Be Clipped?
In its report, Zscaler predicted “that different ransomware teams will be aware of Darkish Angels’ success and should undertake comparable techniques, specializing in excessive worth targets and rising the importance of knowledge theft to maximise their monetary features.”
If that ought to come to go, firms will face a lot steeper, but extra compelling ransom calls for. Fortunately, Darkish Angels’ strategy has an Achilles’ heel.
“If it is a terabyte of knowledge, [a hacker] can in all probability full that switch in a number of days. However while you’re speaking terabytes — , tens of terabytes of knowledge — now you are speaking weeks,” Stone-Gross notes. So, firms that may catch Darkish Angels within the act might be able to cease them earlier than it is too late.