In a chilling demonstration of the escalating stakes in cyber crime, the Dark Angels eCrime group has allegedly received a record-breaking US$75 million ransom payment from a Fortune 50 company. This payment surpasses the previous high of US$40 million paid by CNA after an attack by INDRIK SPIDER.
In a chilling demonstration of the escalating stakes in cyber crime, the Dark Angels eCrime group has allegedly received a record-breaking US$75 million ransom payment from a Fortune 50 company. This payment, apparently verified by Zscaler ThreatLabz and Chainalysis, surpasses the previous high of US$40 million paid by CNA after an attack by INDRIK SPIDER aka Evil Corp:
Dark Angels is a ransomware operation launched in May 2022 when it began targeting companies worldwide.
Like most human-operated ransomware gangs, Dark Angels operators breach corporate networks and move laterally until they eventually gain administrative access. During this time, they also steal data from compromised servers, which is later used as additional leverage when making ransom demands.
When they gain access to the Windows domain controller, the threat actors deploy the ransomware to encrypt all devices on the network.
When the threat actors launched their operation, they used Windows and VMware ESXi encryptors based on the leaked source code for the Babuk ransomware.
The Dark Angels, operating since May 2022, have honed their tactics to target high-value companies, executing sophisticated attacks that breach corporate networks, exfiltrate sensitive data, and deploy ransomware across all devices. Their methodical approach includes using a Linux encryptor similar to that used by Ragnar Locker, which was disrupted by law enforcement in 2023.
In this case, the victimized company, still unnamed but speculated to be pharmaceutical giant Cencora, ranked #10 in the Fortune 50, succumbed to the ransom demands after a February 2024 attack. This incident underscores the severe vulnerabilities even the most well financed corporations face against determined eCrime adversaries.
Dark Angels, like most sophisticated eCrime threat actors, engages in "Big Game Hunting" whereby they target a limited number of high-value companies to maximize payouts rather than spreading attacks across numerous smaller entities. This approach has become the gold standard for larger, more capable groups over the last six years because it generally sees substantial financial rewards.
Like most eCrime adversaries, The Dark Angels also run a dark web-based dedicated leak site (DLS) named 'Dunghill Leaks,' where they threaten to publish stolen data if ransoms are not paid. This has been a standard tactic since TWISTED SPIDER of the Maze ransomware fame introduced it in late 2019.
This unprecedented ransom payment serves as a stark reminder of the escalating threat posed by sophisticated eCrime threat actors. It calls for a concerted effort from global organizations to strengthen cyber defenses, improve response strategies, and invest in Cyber Threat Intelligence (CTI) so organizations can proactively implement stout cyber defense strategies.
In the wake of this attack the critical role of CTI has never been more clear. CTI is not just a tool but a strategic necessity for modern enterprises. By providing actionable insights into threat actors’ tactics, techniques, and procedures, CTI enables organizations to anticipate attacks, bolster defenses, and respond effectively to breaches. In an era where cyber threats are sophisticated and relentless, leveraging CTI is essential to safeguarding digital assets and maintaining operational resilience against adversaries like the Dark Angels.