In 2024, global ransom payments to threat groups continue to surge. The United States remains the primary target, accounting for nearly half of all attacks worldwide.1 Notably, 2023 marked the first time that ransom payments exceeded US$ 1 billion.2 However, recent reports have revealed that an unnamed organization paid a US$75 million ransom to the DarkAngels threat group in 2024. These reports disclose that the organization was in the Fortune 500. This payment is likely the largest known ransom payment to date. Of course, many organizations pay ransoms without disclosing the details to the public, making it difficult to determine if this is the largest payment ever made. Regardless, the DarkAngels threat group is rapidly emerging as a significant threat that organizations must be prepared to confront.
Fortune 500 SEC Filing
The US$75 million payment was confirmed by a crypto-intelligence company, on the platform X, in a 30 July 2024 report.3 Although the identity of the company that paid the ransom remains uncertain, it is speculated that the victim could be Cencora (formerly AmeriSourceBergen Corporation), a pharmaceutical giant ranked #10 on the 2024 Fortune 500 list,4 which suffered a cyberattack in February. Cencora has not confirmed the attack, or if a payment was made to any threat group but did report a security incident to the U.S. Securities and Exchange Commission (SEC) on 21 February 2024.
Many organizations pay ransoms without disclosing the details to the public, making it difficult to determine if this is the largest payment ever made.
According to a recent report,5 the average ransomware payment has increased fivefold over the last year, from US$400,000 in 2023 to US$2 million in 2024. The report states that more than 80% of the payment amounts came from multiple sources, while 40% of the ransom payments came from the attacked organizations themselves and 23% from cyberinsurance firms.
As these trends continue, year over year, organizations must devise a strategy around ransomware, and more importantly, a plan to prevent data loss and deal with the repercussions of threat groups exfiltrating confidential data. Otherwise, ransomware campaigns will continue to devastate companies and the financial impact will continue to grow. Please remember, when confidential data is exfiltrated by threat groups such as DarkAngels, the costs to the organization far exceed the ransom payment.
Understanding DarkAngels
DarkAngels began their attack strategy in 2022 and is known as a “big game hunter”, because of their history of going after large and technically sophisticated organizations. They are a financially motivated Russian threat group specializing in ransomware attacks that encrypt Windows and VMware ESXi networks, as well as large-scale data exfiltration. DarkAngels is not a well-known threat group in the cybersecurity landscape. This is likely due to the group’s preference for operating independently, without relying on affiliates or malware-as-a-service (MaaS). Though relatively unknown, this group has carried out considerable damage. In past data exfiltration attacks, as much as fifty terabytes of confidential data was slowly exfiltrated in less than a week.6 This exfiltrated information serves as a key indicator of compromise (IoC) and a valuable use case for event monitoring across all organizations. DarkAngels operates a discreet, no-frills site named DungHill for reporting data leaks. This site stores stolen data, and various threat groups utilize such platforms, including DungHill, for hosting their stolen data.
Organizations that are known to have been attacked by DarkAngels are the travel booking giant Sabre, the food distribution company Sysco, Nexperia, a semiconductor manufacturing company in the Netherlands, and Johnson Controls,7 from which the hackers reportedly demanded a US$51 million ransom for a reported theft of 27 terabytes of data.
To mitigate the risk of a DarkAngels attack, organizations should monitor outbound traffic levels and set up alerts for any unusual spikes. Additionally, organizations should invest in third parties who will routinely monitor the dark web (DungHill) for brand information and data.
Target Semiconductors
In another large attack, DarkAngels added Nexperia to the list of victims on its Tor site.8 The exfiltrated data included quality control data, client information, engineering data, NDAs, trade secrets, semiconductor technology information, pricing information, employee data, personal data, passports, contracts, salaries, schematics of chips, microchips, Email correspondence, trade secrets, and transistor blueprints. The exfiltrated datasets stolen from Nexperia illustrate the types of data targeted by threat groups like DarkAngels, serving as a cautionary example for other organizations.
This incident underscores the critical need for robust cybersecurity measures and vigilant monitoring to protect sensitive information. Organizations must recognize the diverse range of data that can be targeted and take proactive steps to safeguard their assets. The Nexperia breach serves as a stark reminder of the persistent threats posed by groups like DarkAngels and the importance of comprehensive security strategies.
Prime Targets
Data collected from April 2023 to April 2024 indicates an 18% year-over-year increase in ransomware attacks.9 The three most targeted sectors are manufacturing, healthcare, and technology.
The US$75 million payment to DarkAngels tops the known list of companies that reportedly paid large ransoms in the past such as:
These attacks and their severity underscore the serious threat posed by ransomware. Organizations have faced and will continue to face catastrophic consequences when targeted by such malicious activities. As ransomware attacks continue to rise, organizations must enhance their cybersecurity defenses and develop comprehensive response strategies to mitigate potential damages.
Conclusion
Threat groups such as DarkAngels are fully aware of the significant impact that confidential data leakage has on organizations. However, they remain indifferent to these consequences as long as they achieve monetary gain from their efforts. While a company can rebuild machines and networks to recover from an attack, there is nothing they can do about exfiltrated confidential data, except pay a ransom and hope the threat group deletes the confidential data, like most always occurs when the ransoms are paid.
Due to the large ransoms collected and the fact that DarkAngels has hit such big organizations while maintaining a low profile, DarkAngels seems to be the up-and-coming threat group to watch for organizations. It is in every organization’s best interest to begin collecting routine threat intelligence on DarkAngels, especially if their organization is listed on the Fortune 500.
Endnotes
1 Cyberint, “Ransomware Trends 2023 Report,” 7 April 2024
2 Chainalysis Team, “Ransomware Payments Exceed $1 Billion in 2023, Hitting Record High After 2022 Decline,” Chainalysis, 7 February 2024
3 @ Chainalysis "We can confirm that early this year we saw the largest ransomware payment ever at $75M. The "big game hunting" trend we discussed in our 2024 crime report – fewer attacks on larger targets with deeper pockets – is becoming more pronounced,” X, 30 July 2024
4 Kovacs, E.; “Johnson Controls Hit by Ransomware,” SecurityWeek, 29 September 2023
5 Splunk, State of Security 2024: The Race to Harness AI
6 Baran, G.; “Record-breaking Ransom Payment: Dark Angels Ransomware Received $75 Million,” Cybersecurity News, 31 July 2024
7 Yahoo! Finance, “FORTUNE ANNOUNCES 2024 FORTUNE 500,”4 June 2024
8 Kovacs, E.; “Ransomware Group DarkAngels Claims the Theft of 1TB of Data From Chipmaker Nexperia,” SecurityWeek, 15 April 2024
9 Zscaler, “Zscaler’s Annual Ransomware Report Uncovers Record-Breaking Ransom Payment of US$75 Million, Reinforcing the Need for Zero Trust,” 29 July 2024
10 Bajak, F.; “Ransomware Gangs Get Paid Off as Officials Struggle for Fix,” AP News, 21 June 2021,
11 SecurityWeek News, “In Other News: Apple’s Spyware Warning, CDK Global Ransom Payment, Sibanye Cyberattack,” 12 July 2024
12 Arghire, I.; “Ransomware Group Starts Leaking Data Allegedly Stolen From Change Healthcare,” SecurityWeek, 16 April 2024
Patrick Barnett, CISA, CISM, CEH, CISSP, PCI QSA, PCIP
Is an incident response principal consultant for SecureWorks. He has more than 30 years of experience as a cybersecurity professional and specializes in network engineering with a focus on security. In previous roles, he acted as chief information security officer (CISO) and chief information officer (CIO) and has served as vice president at a large financial enterprise. Barnett is driven by a passion for seeing cybersecurity done right and is committed to aiding organizations in defining proper policies, procedures, and mechanisms to respond to security events of any size.