A new security report released this week revealed a record-breaking $75 million ransom paid by a single victim to the Dark Angels ransomware gang earlier this year. The payment surpasses the previous highest known ransom of $40 million paid by insurance giant CNA to Evil Corp. The specific company involved has not been disclosed at the time of this writing. However, there are speculations that pharmaceutical giant Cencora ranked #10 on the Fortune 50 list, experienced a cyberattack in February 2024, and may have been the victim. Link to the full investigative report.[1] [2]
Since May 2022, Dark Angels has targeted large corporations using an attack strategy called “big game hunting.” This approach focuses on a few high-value targets, aiming for substantial ransom payments rather than numerous smaller ones. After breaching corporate networks, Dark Angels has been observed moving laterally to gain administrative access before making away with sensitive data. Finally, they deploy ransomware, encrypting all devices on the network. Initially, the gange used Windows and VMware ESXi encryptors based on the leaked Babuk ransomware source code but later switched to a Linux encryptor, similar to that used by Ragnar Locker, which was disrupted in 2023.
The group currently operates a data leak site called Dunghill Leaks (nsalewdnfclsowcal6kn5csm4ryqmfpijznxwictukhrgvz2vbmjjjyd[.]onion) and routinely threatens to release stolen data if ransoms are not paid. Unlike most ransomware groups, which outsource attacks to affiliate networks, Dark Angels conducts highly targeted attacks on individual large companies. This method has become a prominent trend among ransomware gangs as financially motivated outfits aim for bigger payoffs using RaaS models, zero days on legacy environments, and the emergence of AI-powered attacks.
This article is shared at no charge and is for educational and informational purposes only.
We want to thank Sentinel Labs for exposing the Dunghill Leak. Additionally, we would like to thank ThreatLabs through Zscaler for the original investigation. Well done. Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
[1] https://www.zscaler.com/resources/industry-reports/threatlabz-ransomware-report.pdf
[2] https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-31-6/
Comments