A Fortune 50 company paid $75 million to its cyberattackers earlier this year, greatly exceeding any other confirmed ransom payment in history. The beneficiary of the payout is an outfit called Dark Angels. And Dark Angels isn’t just effective — in some ways, the gang turns so much of what we thought we knew about ransomware on its head.
Sure, there have been other big amounts forked over in the past: In 2021, Illinois-based CNA Financial was reported to have paid a then unprecedented $40 million ransom in order to restore its systems after a ransomware attack (the company never confirmed that figure). Later that year, the meat manufacturer JBS admitted to paying $11 million to end a disruption affecting its factories. Caesars Palace last year paid $15 million to make its ransomware disruption problems go away.
But those figures pale in comparison against the $75 million in equivalent Bitcoin paid by the aforementioned large organization, which Zscaler chose to keep anonymous in its 2024 annual ransomware report, where the payout was first recorded. The dollar amount has also been corroborated by Chainalysis.
Meet the Dark Angels
Dark Angels first appeared in the wild in May 2022. Ever since, its specialty has been defeating fewer but higher-value targets than its ransomware brethren. Past victims have included multiple S&P 500 companies spread across varied industries: healthcare, government, finance, education, manufacturing, telecommunications, and more.
For example, there was its headline-grabbing attack on the megalith Johnson Controls International (JCI) last year. It breached the company’s VMware ESXi hypervisors, freezing them with Ragnar Locker and stealing a reported 27 terabytes worth of data. The ransom demand: $51 million. It’s unclear how Johnson Controls responded but, considering its $27 million-plus cleanup effort, it’s likely that the company did not cave.
$27 million would have been the second-largest ransom payment in recorded history at the time (after the reported CNA payment). But there’s evidence to suggest that this wasn’t just some outlandish negotiating tactic — that Dark Angels has good reason to think it can pull off that kind of haul.
Dark Angels Does Ransomware Differently
Forget everything you know about ransomware, and you’ll start to understand Dark Angels.
Against the grain, the group does not operate a ransomware-as-a-service business. Nor does it have its own malware strain — it prefers to borrow encryptors like Ragnar Locker and Babuk.
Its success instead comes down to three primary factors. First: the extra care it can take by attacking fewer, higher-yielding targets.
Second is its ability to exfiltrate gobs of sensitive data. As Brett Stone-Gross, senior director of threat intelligence at Zscaler explains, “If you look at a lot of these other ransomware groups, their affiliates are stealing maybe a few hundred gigabytes of data. Sometimes even less than 100 gigabytes of data. They usually top out around, maybe, one terabyte or so. In contrast, Dark Angels are stealing tens of terabytes of data.”
In that, Dark Angels differs only in degree, not in kind. Where it really separates itself from other groups is in its subtlety. Its leak site isn’t flashy. It doesn’t make grand pronouncements about its latest victims. Besides the obvious operational security benefits to stealth (it’s largely escaped media scrutiny in recent years, despite pulling off major breaches), its aversion to the limelight also helps it earn larger returns on investment.
For example, the group often avoids encrypting victims’ data, with the express purpose of allowing them to continue to operate without disruption. This seems to defy common wisdom. Surely the threat of downtime and media scrutiny are effective tools to get victims to pay up?
“You would think that, but the results say otherwise,” Stone-Gross suggests.
Dark Angels makes paying one’s ransom easy and quiet — an attractive prospect for companies that just want to put their breaches behind them. And avoiding business disruption is mutually beneficial: Without the steep bills associated with downtime, companies have more money to pay Dark Angels.
Can Dark Angels’ Wings Be Clipped?
In its report, Zscaler predicted “that other ransomware groups will take note of Dark Angels’ success and may adopt similar tactics, focusing on high value targets and increasing the significance of data theft to maximize their financial gains.”
If that should come to pass, companies will face much steeper, yet more compelling ransom demands. Luckily, Dark Angels’ approach has an Achilles’ heel.
“If it’s a terabyte of data, [a hacker] can probably complete that transfer in several days. But when you’re talking terabytes — you know, tens of terabytes of data — now you’re talking weeks,” Stone-Gross notes. So, companies that can catch Dark Angels in the act may be able to stop them before it’s too late.