Security researchers have discovered the largest ever publicly known ransomware payment and warned that multiple threat actors may look to copy the tactics of the Dark Angels group that received it.
The revelations come from Zscaler’s ThreatLabz 2024 Ransom Report, which was compiled from external threat intelligence, as well as data from the vendor’s global security cloud and ThreatLabz analysis of ransomware samples and attack data.
It revealed an 18% annual increase in ransomware attacks blocked by Zscaler from April 2023 to April 2024, with manufacturing the most targeted sector, followed by healthcare, technology and education.
However, the standout finding is a $75m payment from an unnamed ransomware victim to the Dark Angels group, which ThreatLabz uncovered in early 2024.
Read more on Dark Angels: Brazilian Conglomerate Suffers 3TB Data Breach: Report
The group’s previous highest profile attack was in September 2023, when it demanded a $51m ransom from an international conglomerate specializing in automation, after claiming to have stolen over 27TB of data, the report revealed.
There’s now a concern that other groups may try to use similar tactics to extort large sums from their victims.
“The Dark Angels group employs a highly targeted approach, typically attacking a single large company at a time. This is in stark contrast to most ransomware groups, which target victims indiscriminately and outsource most of the attack to affiliate networks of initial access brokers and penetration testing teams,” the report explained.
“Once Dark Angels has identified and compromised a target, it selectively decides whether to encrypt the company’s files. In most cases, the Dark Angels group steals a vast amount of information, typically in the range of 1-10 TB. For large businesses, the group has exfiltrated between 10-100 TB of data, which can take days to weeks to transfer.”
Best Practices to Mitigate Ransomware Risk
Aside from the usual best practices of regular backups and software updates, multi-factor authentication (MFA), continuous employee training and enhanced incident response, Zscaler recommended organizations take several additional steps to mitigate the threat.
These include:
- Zero-trust network access and least privilege access policies
- A zero-trust architecture for internal applications
- Inspection of encrypted traffic
- A cloud access security broker (CASB)
- Inline data loss prevention (DLP)
- Deception tools and honeypots to misdirect attackers
- AI-powered browser isolation and advanced sandboxing
“The increasing use of ransomware-as-a-service models, along with numerous zero-day attacks on legacy systems, a rise in vishing attacks and the emergence of AI-powered attacks, has led to record breaking ransom payments,” said Deepen Desai, chief security officer at Zscaler. “Organizations must prioritize Zero Trust architecture to strengthen their security posture against ransomware attacks.”