Record-breaking $75M ransom paid to Dark Angels gang


An undisclosed victim has paid $75 million to the Dark Angels ransomware group, which is nearly double the amount of the highest publicly known ransomware payout.

Zscaler, a cloud security firm, discovered the record-breaking payout early in 2024. It said it was the largest ransomware payment by a company in history but did not name the organization.

The cybersecurity experts warned that the ransomware payment is “bound” to attract the interest of other attackers intent on replicating the Dark Angels’ success.

ADVERTISEMENT

Zscaler also said there was an 18% increase in ransomware attacks year-over-year in its latest ThreatLabz ransomware report covering the period from April 2023 to April 2024. Manufacturing, healthcare, and the technology sectors were the top targets, it said.

“The increasing use of ransomware-as-a-service models, along with numerous zero-day attacks on legacy systems, a rise in vishing attacks, and the emergence of AI-powered attacks, has led to record-breaking ransom payments,” said Deepen Desai, chief security officer at Zscaler.

According to Zscaler, the energy sector experiences a 500% year-over-year spike in ransomware attacks, as critical infrastructure and susceptibility to operational disruptions make it particularly attractive to cybercriminals.

The United States remained the top ransomware target, accounting for almost half of all attacks. The United Kingdom was a distant second (5.92%), followed by Germany (4.09%), Canada (3.51%), and France (3.26%).

Zscaler also identified 19 new ransomware families, bringing the total number of threat actors it tracks to 391. LockBit, BlackCat (aka ALPHV), and 8Base were the most active, it said.

Meanwhile, Dark Angels is the top ransomware family “to watch” over the next year, cybersecurity experts said, also singling out the Akira and BlackBasta families.

Who are Dark Angels?

According to Zscaler, the Dark Angels ransomware group first emerged around May 2022 and is known to operate the Dunghill data leak site. Despite its relatively low profile, it is believed to be behind some of the largest ransomware attacks.

ADVERTISEMENT

Dark Angels’ top targets include healthcare, government, finance, and education organizations, while it has been also observed launching attacks against large industrial, technology, and telecommunications companies.

The group takes a highly targeted approach and typically attacks a single large company at a time, which distinguishes it from most ransomware groups, which target victims indiscriminately while also outsourcing most of the attack to affiliate networks.

Once Dark Angels identify and compromise a target, they decide whether to encrypt the victim’s files selectively.

“In most cases, the Dark Angels group steals a vast amount of information, typically in the range of 1-10TB. For large businesses, the group has exfiltrated between 10-100TB of data, which can take days to weeks to transfer,” Zscaler said.

The group conducted its highest-profile attack in September 2023, breaching an international conglomerate providing solutions for building automation systems. Dark Angels claimed it had stolen over 27TB of corporate data and demanded a $51 million ransom.

While the gang used a RagnarLocker ransomware variant to encrypt the company’s files, the relationship between the two is unclear, according to experts. The group is known to have used a Babuk variant when it first appeared, before switching to RagnarLocker.

“The Dark Angels ransomware group’s strategy of targeting a small number of high-value companies for large payouts is a trend worth monitoring,” Zscaler said, warning that other groups may adopt “similar tactics” to maximize their financial gains.