Dark Angels ransomware is a human-operated ransomware group that has gained significant notoriety over the past two years for targeting large multinational corporations and demanding exorbitant ransom sums.
Most notably, in early 2024, Dark Angels received a record-breaking $75 million ransom payment from a Fortune 50 company, cementing its place as one of the most prolific ransomware operations currently active.
This blog details the evolution of Dark Angels, its hacking techniques, encryption methods, and strategies for helping enterprise businesses understand this serious cyber threat and how to better protect themselves.
The Rise of the Dark Angels Ransomware Group
Not much is known about when Dark Angels first emerged or where its operators originated from. The group quietly entered the ransomware landscape in May 2022 with an attack on a large multinational food manufacturing company headquartered in Western Europe.
They utilized customized Windows and VMware ESXi encryptors derived from recently leaked Babuk ransomware source code. This provided Dark Angels with the ability to target a wide variety of systems across the victim’s internationally dispersed IT infrastructure.
Over the following months, Dark Angels continued developing their techniques and building their reputation. They strategically breached mid-sized companies from industries such as manufacturing, construction, transportation and agriculture located worldwide.
Ransom demands typically started in the range of $500,000 to $1 million. With each successful operation, Dark Angels refined their tactics for penetrating target networks and evading detection. They also experimented with expanding the pressure put on victims to pay by stealing and threatening to leak sensitive documents and files.
A turning point came towards the end of 2022, when Dark Angels set their sights on a much larger prey. Through determined attacks leveraging advanced intrusion techniques, they ultimately compromised the global networks of Johnson Controls, a multibillion-dollar technology and solutions provider.
After encrypting systems across Johnson Control’s operations, Dark Angels demanded an unprecedented $51 million ransom payment. This brazen operation signaled Dark Angels had evolved into a serious threat dedicated to targeting only the largest, most high-profile multinational corporations. With their first major victory, Dark Angels solidified their entrance as a dark force to be reckoned within the cybercriminal landscape.
A Record-Breaking $75 Million Ransom Payment
After establishing themselves as a formidable adversary throughout 2023, Dark Angels was poised to carry out their most ambitious operation yet in early 2024. Leveraging sophisticated hacking techniques and surveillance of potential victims, they managed to penetrate the internal networks of a little known but immensely lucrative target – one of the largest companies on the Fortune 500 list.
Once embedded deeply within the target’s IT infrastructure, Dark Angels launched their customized encryption software which rapidly spread throughout thousands of machines, effectively paralyzing the multinational corporation’s global operations.
With a trove of stolen sensitive documents and the victim’s entire business on the line, Dark Angels made their unprecedented ransom demand of $75 million to be paid in cryptocurrency. The targeted company, desperate to bring their systems back online as soon as possible, reluctantly agreed to pay what was at the time the highest ransom amount on public record.
The $75 million payment was quickly confirmed by leading blockchain analysts at Chainalysis, further cementing Dark Angels’ place at the apex of financially-motivated cybercriminals. While the identity of the Fortune 500 firm remains unknown, speculation points to an attack in February against Cencora, a top pharmaceutical company, as the possible victim.
The largest known ransom payment was previously $40 million, which insurance giant CNA paid after suffering an Evil Corp ransomware attack.
The enormous ransom has also taken the model of “big game hunting” to its highest and most lucrative conclusion yet witnessed in modern ransomware schemes.
The Big Game Hunting Strategy: Targets of Dark Angels Ransomware
Unlike most ransomware groups that indiscriminately compromise as many easy targets as possible, Dark Angels has carefully cultivated a specialized methodology known as “big game hunting.” Rather than aiming to achieved numerous small ransom payments, this focused approach involves meticulously planning and researching potential high-value targets. The group spends weeks and sometimes months penetrating the networks of just a single major international corporation at a time.
Through meticulous reconnaissance and testing of security weaknesses, Dark Angels maps out the full infrastructure of their target. This allows them to carefully monitor activity and move laterally within the network undetected. When the time is right, they deploy customized ransomware with the ability to rapidly encrypt entire server farms and thousands of endpoints simultaneously.
By conquering a juggernaut of industry in one fell swoop, Dark Angels is able to demand extraordinarily large ransoms starting in the tens of millions of dollars. They also intensify pressure on these corporations through threatening to leak terabytes of sensitive documents, emails and proprietary information. This big game hunting strategy has undoubtedly contributed to their record-breaking successes, seeking maximum profit from minimal operations.
While riskier, it has also proven Dark Angels is a daring and highly organized adversary unlike most mere ransomware affiliates. Their strategy of high-precision attacks on only the most lucrative of targets continues to evolve black hat hacking into a highly lucrative criminal enterprise.
Conclusion: Learning from Dark Angels
The unprecedented successes achieved by Dark Angels clearly demonstrate that ransomware groups have adopted cunning new strategies focused on maximizing profits from the largest, most impactful targets. As a result, even the mightiest global firms have been brought to their knees. For enterprises striving to defend their complex IT environments from agile, well-funded threats, there are valuable takeaways from scrutinizing Dark Angels’ rise.
Firstly, no network is impenetrable if constantly probed by determined attackers. Continuous monitoring, logging and detection across all domains is essential to spot suspicious activity early. Secondly, controlling privileges and practicing least privilege principles makes it far more difficult for threats to spread laterally and escalate privileges once inside.
Preparation is also key – having immutable, recent backups offline or in the cloud is the difference between days of downtime versus mere hours. It also reduces reliance on negotiation with criminals. Furthermore, increased user awareness through simulated phishing tests helps harden the edge of networks as a last line of defense.
Most significantly, businesses must acknowledge that ransomware actors now view them as lucrative targets rather than merely collateral damage of opportunistic breaches. Adopting a risk management strategy guided by threat intelligence rather than relying on defenses alone can help stay one step ahead of advanced groups.
While complete prevention may not be realistic against cunning adversaries, reducing the blast radius and making operations less enticing remains critical for enterprises going forward. Staying vigilant against the evolving tactics showcased by Dark Angels is imperative to survive and thrive in today’s treacherous threat landscape.
