An unnamed Fortune 50 corporation paid a stonking $75 million to a ransomware gang to stop it leaking terabytes of stolen data.
The underworld outfit, which calls itself Dark Angels, doesn't go for the shotgun approach a lot of other malware-slinging teams use, in which multiple victims are infected at a time indiscriminately in hope that at least some pay up. Nor does Dark Angels appear to use affiliates or outside help to get into networks.
Instead the unit seems to focus on compromising one big target at a time by itself, selecting businesses to steal data from that are likely to write a big check to prevent pilfered documents from being leaked online.
For instance, in September 2023, Dark Angels used a RagnarLocker variant to encrypt international conglomerate Johnson Controls' data, and demanded a $51 million ransom. The gang, which was previously using a strain of the Babuk ransomware, claimed to have stolen at least 27TB of information, and attacked the org's virtual machines running on VMware ESXi.
Then in early 2024, the crew managed to extract $75 million in cryptocurrency from one victim, the highest publicly known payment of its kind to date.
That's according to network security house Zscaler in its latest ThreatLabz report on ransomware, and confirmed by blockchain watchers Chainalysis.
Brett Stone-Gross, senior director of threat intelligence at Zscaler, told The Register on Thursday the gang has operated for just a couple of years. Stone-Gross said the crooked crew is "extremely stealthy," and is patient enough to quietly exfiltrate tens of terabytes over many weeks from victims.
- Ransomware infection cuts off blood supply to 250+ hospitals
- Five months after takedown, LockBit is a shadow of its former self
- Ransomware gangs are loving this dumb but deadly make-me-admin ESXi vulnerability
- LA County Superior Court closes doors to reboot justice after ransomware attack
Dark Angels is able to keep a low profile and operate successfully by working alone, and not with affiliates as other gangs do, Stone-Gross opined. You're only as strong as your weakest partner in this game. If an affiliate hits a hospital or some other critical infrastructure on your behalf, or otherwise kicks off some unexpected drama, it will draw unwelcome attention, which is exactly what Dark Angels wants to avoid.
This shift from spray-and-pray attacks by ransomware scumbags to tightly targeted cyber-heists seems to be where the online crime world is going, Stone-Gross suggested. And the approach can pay major dividends, particularly when the target has insurance against these kinds of intrusions.
"When they hit companies, they search for the relevant data and check how much the firm's insurance policy is set to pay out, be it $5 million, $10 million or more," he noted.
When they hit companies, they search for and check how much the firm's insurance policy is set to pay out
"They can then say to the victim: 'We know your policy value, pay it up to the limit.' Insurers are also a factor in the decision to pay," since they may feel it's cheaper in the long run to pay up and at least get some cooperation from the extortionists than try to fix everything in the dark, he added.
For instance, if a payment isn't made and data is leaked as a result, that may intensify legal action against the victim by its own customers or partners, which happens in the US where ransomware attacks doubled last year, according to Zscaler. The UK saw attacks rise 50 percent, we're told.
Russia doesn't have to worry as much as others as that's where a load of ransomware operators are based, and the Kremlin turns a blind eye to it all, if the targets are beyond its borders.
Don't worry about AI, yet
Stone-Gross observed that Zscaler has yet to see artificial intelligence augment traditional ransomware tactics at scale; AI models could be used to automate social engineering attacks, for instance.
"We are not seeing deepfakes used that frequently," he commented. "It's something we do expect to increase, but there are simple measures you can take against it."
Skepticism is Stone-Gross's suggested shield. He cited the recent reported attempt against Ferrari, in which a crook used an AI model to simulate the voice of CEO Benedetto Vigna on a phone call in hope of tricking a colleague into transferring funds to the fraudster.
The voice itself was apparently spot on, even nailing Vigna's southern Italian accent. But there were red flags: The call came from an unknown number, which the scammer tried to pass off as needed to ensure confidentiality. And the executive who took the call asked a test question: What book did Vigna recommend to him the previous week? The answer, which only Vigna could have known, was a tome titled, "Decalogue of Complexity: Acting, Learning and Adapting in the Incessant Becoming of the World," by Alberto Felice De Toni.
The caller hung up when asked to name the book – an example of how this technique can be used to confound scammers.
Stone-Gross warned, however, that other swindles are far more prosaic. Social engineering using a real person – such as happened in the recent Las Vegas ransomware attacks – remains prevalent.
Zscaler has observed some intrusions exploiting zero-day flaws, he said, but most technical attacks target unpatched vulnerabilities. Stay patched out there. ®