The malicious activities of a cyber ransomware collective known as Dark Angels reached new heights recently as they reportedly received a record-breaking $75 million ransom payment from a Fortune 50 company. The Dark Angels have been on security radars since 2021, but their lack of public exposure is due to their discrete operation model. Instead of simultaneous attacks, they target one company at a time, and they show preference for mass data theft over disruption of the victim’s operations.
‘The Dark Angels focus on making money with minimum public attention.‘
Zscaler’s ThreatLabz has identified Dark Angels as 2024’s top ransomware threat, highlighting a case earlier this year where this enigmatic group was paid $75 million in ransom. This is the highest ransom ever recorded, likely prompting extra interest in the Dark Angels. However, little is known about the group despite their audacious attacks and high-value demands.
In contrast to other ransomware groups, Dark Angels does not employ the typical ransomware affiliate model, which involves the usage of hackers-for-hire to infiltrate and encrypt compromised systems. Instead, the group strives to stay out of sight while continuing their unlawful activities.
Typically, ransomware groups maintain flamboyant victim leak sites and threaten to make the targeted company’s stolen data public unless a ransom is paid. In contrast, Dark Angels took until April 2023 before it established a victim leak site, aptly named Dunghill Leak. However, even this site isn’t flashy as maintaining a low profile is at the core of their operations.
Despite their discretion, Dark Angels is believed to be a Russia-based cybercrime syndicate known for stealing significant volumes of data from multinational corporations across various sectors including healthcare, finance, government and education. For large corporations, the group has been found to exfiltrate between 10-100 terabytes of data, a process that can take days or weeks.
Like most ransomware groups, Dark Angels publishes stolen data from companies that refuse to pay the demanded ransom. Notable victims listed on Dunghill Leak include global food distribution firm Sysco and travel booking giant Sabre. Both suffered attacks from the Dark Angels in 2023.
The Dark Angels cyber group is unique in the sense that they selectively deploy ransomware malware. These types of attacks typically disrupt a targeted company’s IT infrastructure and result in a halt of the company’s operations for extended periods, which consequently attract publicity. However, Dark Angels avoid this by focusing more on data theft, luring companies into paying them off to avoid losing substantial data.
‘What separates the Dark Angels from other groups is the staggering volume of data they steal, forcing companies into paying high ransoms.’‘
So which company succumbed to the record $75 million ransom demand? Speculations suggest that it was the pharmaceutical titan Cencora (previously known as AmeriSourceBergen Corporation), which reported a data security incident to the U.S. Securities and Exchange Commission (SEC) on February 21, 2024.
After a security incident, the SEC mandates publicly-traded companies to disclose potentially significant cybersecurity events within four days. Cencora, currently sitting at #10 on the Fortune 500 list, raked in more than $262 billion in revenue in the previous year.
Despite the disheartening spike in ransomware payment, they at least spread out between multiple sources. As highlighted in Sophos’s recent ‘State of Ransomware’ report, in more than 82% of cases, the ransom was drawn from multiple sources, significantly alleviating the financial burden on the victim.
In conclusion, the scarcity of information on the so-called Dark Angels, juxtaposed with the substantial spike in ransom awards, underscores the need for increased wordpress site cleanup and regular wordpress malware scans. If not for immediate threat elimination, these precautions assist in helping companies develop more effective strategies to clean wordpress virus and safeguard their systems against future attacks.
Need security services for your WordPress site? Contact DrGlenn for protection and recovery. Order Services Today!.