A Fortune 50 firm paid $75 million to its cyberattackers earlier this 12 months, tremendously exceeding some other confirmed ransom cost in historical past. The beneficiary of the payout is an outfit referred to as Darkish Angels. And Darkish Angels is not simply efficient — in some methods, the gang turns a lot of what we thought we knew about ransomware on its head.
Certain, there have been different large quantities forked over prior to now: In 2021, Illinois-based CNA Monetary was reported to have paid a then unprecedented $40 million ransom in an effort to restore its techniques after a ransomware assault (the corporate by no means confirmed that determine). Later that 12 months, the meat producer JBS admitted to paying $11 million to finish a disruption affecting its factories. Caesars Palace final 12 months paid $15 million to make its ransomware disruption issues go away.
However these figures pale as compared towards the $75 million in equal Bitcoin paid by the aforementioned massive group, which Zscaler selected to maintain nameless in its 2024 annual ransomware report, the place the payout was first recorded. The greenback quantity has additionally been corroborated by Chainalysis.
Meet the Darkish Angels
Darkish Angels first appeared within the wild in Might 2022. Ever since, its specialty has been defeating fewer however higher-value targets than its ransomware brethren. Previous victims have included a number of S&P 500 corporations unfold throughout diverse industries: healthcare, authorities, finance, schooling, manufacturing, telecommunications, and extra.
For instance, there was its headline-grabbing assault on the megalith Johnson Controls Worldwide (JCI) final 12 months. It breached the corporate’s VMware ESXi hypervisors, freezing them with Ragnar Locker and stealing a reported 27 terabytes price of knowledge. The ransom demand: $51 million. It is unclear how Johnson Controls responded however, contemplating its $27 million-plus cleanup effort, it is doubtless that the corporate didn’t cave.
$27 million would have been the second-largest ransom cost in recorded historical past on the time (after the reported CNA cost). However there’s proof to counsel that this wasn’t just a few outlandish negotiating tactic — that Darkish Angels has good motive to assume it will possibly pull off that type of haul.
Darkish Angels Does Ransomware In a different way
Overlook all the things you already know about ransomware, and you may begin to perceive Darkish Angels.
Towards the grain, the group doesn’t function a ransomware-as-a-service enterprise. Nor does it have its personal malware pressure — it prefers to borrow encryptors like Ragnar Locker and Babuk.
Its success as a substitute comes down to 3 major elements. First: the additional care it will possibly take by attacking fewer, higher-yielding targets.
Second is its capacity to exfiltrate gobs of delicate information. As Brett Stone-Gross, senior director of risk intelligence at Zscaler explains, “Should you take a look at a variety of these different ransomware teams, their associates are stealing possibly just a few hundred gigabytes of knowledge. Generally even lower than 100 gigabytes of knowledge. They normally high out round, possibly, one terabyte or so. In distinction, Darkish Angels are stealing tens of terabytes of knowledge.”
In that, Darkish Angels differs solely in diploma, not in sort. The place it actually separates itself from different teams is in its subtlety. Its leak website is not flashy. It does not make grand pronouncements about its newest victims. Moreover the plain operational safety advantages to stealth (it is largely escaped media scrutiny lately, regardless of pulling off main breaches), its aversion to the limelight additionally helps it earn bigger returns on funding.
For instance, the group typically avoids encrypting victims’ information, with the categorical function of permitting them to proceed to function with out disruption. This appears to defy widespread knowledge. Certainly the specter of downtime and media scrutiny are efficient instruments to get victims to pay up?
“You’ll assume that, however the outcomes say in any other case,” Stone-Gross suggests.
Darkish Angels makes paying one’s ransom straightforward and quiet — a gorgeous prospect for corporations that simply need to put their breaches behind them. And avoiding enterprise disruption is mutually useful: With out the steep payments related to downtime, corporations have more cash to pay Darkish Angels.
Can Darkish Angels’ Wings Be Clipped?
In its report, Zscaler predicted “that different ransomware teams will be aware of Darkish Angels’ success and should undertake comparable ways, specializing in excessive worth targets and rising the importance of knowledge theft to maximise their monetary positive factors.”
If that ought to come to move, corporations will face a lot steeper, but extra compelling ransom calls for. Fortunately, Darkish Angels’ method has an Achilles’ heel.
“If it is a terabyte of knowledge, [a hacker] can most likely full that switch in a number of days. However whenever you’re speaking terabytes — you already know, tens of terabytes of knowledge — now you are speaking weeks,” Stone-Gross notes. So, corporations that may catch Darkish Angels within the act could possibly cease them earlier than it is too late.
