World
Record-Breaking: $75 million Ransom Paid To Dark Angels Gang
Getting your Trinity Audio player ready...
|
Record-Breaking $75 Million Ransom Paid To Dark Angels Gang
By Winder Senior
Cybercriminals gravitate towards ransomware attacks for one simple reason: money. According to ransomware statistics compiled by Varonis, the largest ransom payout was in 2021 when insurance giant CNA Financial reportedly paid an astonishing $40 million. However, the latest Zscaler ThreatLabz ransomware report suggests that this deplorable record has now been broken. Coming in at nearly twice as much, the Zscaler researchers said they found evidence of a $75 million ransom paid by an undisclosed victim earlier this year. Say hello to the Dark Angels.
Key Findings Of The Zscaler ThreatLabz Ransomware Report
The Zscaler ThreatLabz researchers stated they had tracked an increase in ransomware attacks of 18% year-on-year, with healthcare, manufacturing and technology being the hardest hit by the cybercrime gangs. Manufacturing saw more than twice as many attacks as the other two industry groups put together.
When it comes to geographical targeting, the U.S. attracts almost half of all ransomware attacks, with the U.K. right behind. Year-on-year, the U.S. has seen an astonishing 93% rise in the number of ransomware attacks, the researchers said.
A total of 391 ransomware gangs have been tracked by Zscaler over the years, with 19 new ones identified between April 2023 and April 2024. Although it’s unlikely you will have heard of them, not least as they tend to fly under the radar when not comes to media attention, the Dark Angels were not one of them. In fact, the ransomware group doesn’t make the top ten list of the most active groups in the report. Despite law enforcement disruption, LockBit sits firmly at the top with more than twice as many attacks revealed on malicious leak sites as BlackCat (ALPHV) in second place. 8Base, Play and Clop follow behind.
Who Are The Dark Angels?
The Dark Angels cybercrime group has been flagged as the number one ransomware actor to watch across the coming 12 months due to the significant risk it poses to businesses. The gang, which operates an associated data leak site appropriately called Dunghill, first appeared on the radar in May 2022. Threat intelligence specialists Cyble reported at the time that Dark Angels was a rebranding of the Babuk ransomware family. However, it was in the following year that the group launched what has become the most-reported attack in its short history. “In September 2023, automation and manufacturing company Johnson Controls was targeted in a ransomware attack where threat actors used Dark Angels ransomware to lock the company’s VMWare ESXi servers,” cybersecurity vendor SentinelOne said. The Zscaler ThreatLabz researchers said that a $51 million ransom demand was made, although it has not been confirmed if any was paid, after stealing an alleged 27 terabytes of corporate data.
One of the reasons that the Dark Angels gang has stayed out of the headlines relative to other ransomware groups is that it employs a highly targeted approach meaning the number of victims is few, but very carefully selected. “This is in stark contrast to most ransomware groups, which target victims indiscriminately and outsource most of the attack to affiliate-networks of initial access brokers and penetration testing teams,” the report concludes. Not all victims have their files encrypted, but all have data stolen. Lots of data. The Zscaler ThreatLabz researchers suggest that this is typically in the range of 10-100 terabytes for large businesses, an amount which can “take days to weeks to transfer.”
The Dark Angels Effect
Zscaler warned that the targeting of a small number of high-value organizations strategy employed by the Dark Angels is a trend that needs to be monitored closely. Given the apparent success in gaining that $75 million payday, you can be sure other criminals will be watching and wanting a slice of that action. “Ransomware defense remains a top priority for CISOs in 2024,” Deepen Desai, chief security officer at Zscaler, said, “The increasing use of ransomware-as-a-service models, along with numerous zero-day attacks on legacy systems, a rise in vishing attacks and the emergence of AI-powered attacks, has led to record breaking ransom payments.”
“Attackers will often research a target’s accounts to set the ransom at a figure it can afford,” Ryan McConechy, chief technology officer of Barrier Networks said, “which is also slightly lower than the cost of operational downtime and rebuilding systems from scratch.” This is likely why the unnamed company agreed to pay such a high ransom. “But losing such a lot of money will undoubtedly have had a toll on the organization,” McConechy concludes, “it doesn’t matter how big you are, $75 million is a massive hit, and no one can say if this enabled them to get back online fully.”
Ransomware Awareness Month
“With July being Ransomware Awareness Month,” Sam Woodcock, senior director of cloud strategy and enablement at 11:11 Systems said, “companies must be as prepared as ever to protect vital data assets.” Woodcock isn’t wrong when saying that prevention is key, nor that protecting against ransomware requires a multi-layered, holistic approach encompassing people, processes, and technology. However, I’m no fan of these awareness days and months which strike me as gimmicky rather than constructive. Every month, every day, organizations should be aware of the ransomware threat just as they should every other threat to their data. 2024 and every year should be security awareness year, truth be told. Ransomware wouldn’t be a thing were it not for the lapses in security that allow initial access to systems and services. Focusing on ensuring the fewest opportunities for attackers to strike is where awareness needs to be.
Take the newly identified vulnerability, which Microsoft warned is already being “exploited by several ransomware operators,” that enables attackers to gain full administrative access to ESXi hypervisors without proper validation, and as such is a critical threat to virtual machines. Microsoft researchers said that the vulnerability has been used by Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest in “numerous attacks,” with ransomware such as Akira and Black Basta deployed in “several cases.” The mitigations are, Balazs Greksza, threat response lead at Ontinue said, “a mere observation of a by default insecure configuration that has been around a long time, which has been documented previously. Now that threat actors have started to pick up on the fact that many organizations missed this detail, they are taking the easy privilege escalation route.” A successful breach of a VMware instance can, Patrick Tiquet, vice president of security and architecture at Keeper Security said, “not only interrupt services and lead to financial losses.