The mystery of the $75M ransom payment to Dark Angels
The Dark Angels gang stole 100 TB of data from a Fortune 50 company last year for a record-setting ransom payment. But the victim organization still hasn't disclosed those details.
In early 2024, Dark Angels ransomware actors gained access to a large publicly traded U.S. company, exfiltrated an eye-popping 100 TB of corporate data and then extorted the company for a record-breaking $75 million ransom payment. But nearly a year later, the victim organization still hasn't disclosed the massive payment or the full scope of the attack.
News of the $75 million ransom payment to Dark Angels first emerged on July 29 when cybersecurity vendor Zscaler published its "ThreatLabz 2024 Ransomware Report." In the report, Zscaler said it discovered in early 2024 an organization that made an "unprecedented" payout to the Dark Angels ransomware gang. Blockchain analytics firm Chainalysis later confirmed that $75 million, the largest ransom payment ever recorded, was paid to Dark Angels.
The following day, Zscaler posted additional information on X, formerly Twitter, that added intrigue to the situation. "ThreatLabz has uncovered a record breaking $75 million payment made by a Fortune 50 company to the #DarkAngels ransomware group," the company wrote.
Zscaler did not name the company and has consistently declined to identify the victim organization. However, a Bleeping Computer report posited that the company could be Cencora, a pharmaceutical giant formerly known as AmerisourceBergen. The report noted that Cencora -- currently No. 18 on the 2024 Fortune Global 500 list with $262 billion in revenue -- suffered a cyberattack in February, which it disclosed in an 8-K filing with the U.S. Securities and Exchange Commission (SEC) on Feb. 27.
According to the filing, Cencora discovered on Feb. 21 that "data from its information systems had been exfiltrated, some of which may contain personal information." The company, which provides pharmaceutical distribution services for third-party drugmakers, said it commenced an investigation into the breach with "the assistance of law enforcement, cybersecurity experts and external counsel."
In an amendment to the 8-K filing on July 31, Cencora said it discovered that additional data had been exfiltrated by the attacker, including the personally identifiable information and protected health information of customers' patients. The amendment also stated there was no evidence the company's data "has been or will be publicly disclosed."
Notably, Cencora said the attack did not have a material impact on the company's operations and that its IT systems were fully operational. "The Company does not believe the incident is reasonably likely to materially impact the Company's financial condition or results of operations," the amendment stated.
Here are notable events in the Cencora breach, which might be connected to the $75 million ransom payment to the Dark Angels ransomware gang.
Cencora named
On Sept. 18, Bloomberg News reported that, according to sources familiar with the situation, Dark Angels received the $75 million ransom payment for the Cencora attack and that the original demand was $150 million. According to Bloomberg, a Cencora representative declined to comment on the report and said the company does not respond to rumors or speculation.
On the same day, an anonymous cryptocurrency researcher and investigator known as "ZachXBT" posted to X the details of three separate bitcoin transactions on March 7 and 8, allegedly made by Cencora to Dark Angels.
The Cencora representative also told Bloomberg that the company stands by its public disclosures, including a quarterly earnings report in July that detailed costs associated with the February breach. Cencora's fiscal Q3 earnings report included $31.4 million in "other" expenses for the previous nine months ending on June 30, the majority of which were related to the breach.
Brett Stone-Gross, director of threat intelligence at Zscaler, said numbers in SEC filings can be misleading, thanks to cyber insurance. "I've seen multiple companies that are publicly traded that have paid ransoms. I know there were large payments," Stone-Gross said. "I've looked at their SEC filings, and they've made statements that the breach cost them significantly less than what they paid in the ransom alone."
Cencora states on its website that it "maintains cyber insurance," but it's unclear who the carrier is and what the policy entails. Informa TechTarget contacted Cencora for comment, but the company did not respond by press time.
While Zscaler declined to identify the victim organization behind the $75 million ransom payment, Stone-Gross discussed the lack of transparency around the incident and the troubling trends it has illustrated.
'It was surprising'
Zscaler had previously offered little information about the record-setting ransomware payment and the incident behind it. The "ThreatLabz 2024 Ransomware Report" contains just a few short sentences about the attack, and the company is tight-lipped about many details, including how Zscaler first discovered the payment. "Obviously, if we disclose how we obtain some information, we may potentially lose the ability to collect that information in the future," Stone-Gross said.
But Zscaler provided some insights about the attack and payment, the most notable of which was that Dark Angels threat actors managed to exfiltrate approximately 100 TB of data from the organization.
It takes a long time to steal that volume of data. And there's probably very few cases where you'd see terabytes of data leaving your network that are legitimate. That means that these large companies are failing to monitor their network.
Brett Stone-GrossDirector of threat intelligence, Zscaler
Stone-Gross said Dark Angels has proved to be adept at stealing significant amounts of sensitive data from victims. For example, in 2023, the ransomware gang encrypted the VMware ESXi virtual machines of Johnson Controls International, which produces building automation systems, and claimed to have stolen more than 27 TB of sensitive data.
However, Stone-Gross said the 100 TB number is astounding.
"If you think about it from a network and mathematics standpoint, they were stealing data over a period of weeks," he said. "It takes a long time to steal that volume of data. And there's probably very few cases where you'd see terabytes of data leaving your network that are legitimate. That means that these large companies are failing to monitor their network."
Since the ThreatLabz report was published, Stone-Gross has seen an increase in the volumes of data stolen in extortion attacks. "I'm starting to see now more groups stealing terabytes of data, whereas if you look at last year, it was more like 50 GB, or maybe 100 GB in some rare cases," he said.
Unlike other, more prolific ransomware gangs like LockBit and RansomHub, Dark Angels isn't a ransomware-as-a-service operation that outsources attacks to affiliate hackers. The Russian-speaking cybercriminal group has a dark web site under a different name, dubbed "Dunghill Leak," and doesn't have its own ransomware; Dark Angels has used variants of other ransomware such as Ragnar Locker.
In a blog post in October, ThreatLabz researchers noted that since emerging in 2022, Dark Angels consistently steals vast amounts of data and -- prior to the $75 million payment -- prefers to avoid publicity. "Prior to this event, the group has largely remained in the shadows due to their modus operandi, which is quite different from most ransomware groups," the blog post said.
Even with the alarmingly large amount of data stolen in this case, Zscaler ThreatLabz researchers were still taken aback by the size of the ransom payment. "It was surprising," Stone-Gross said. "What we've seen is an uptick in the size of payments. It's something that the Dark Angels group has been extremely successful with, as we mentioned in the report. And they have quite a unique approach to these breaches and how they operate."
Part of that approach includes a shift toward pure data theft and extortion attacks, and away from traditional ransomware deployment. In addition, Dark Angels has focused on "big-game hunting," or the practice of targeting one high-value organization at a time and stealing large amounts of sensitive data that could command exorbitant ransoms.
The $75 million payment was an exclamation point for those trends, and one could be cause for concern. Stone-Gross said that in this case, Dark Angels did not deploy ransomware in the victim organization's network. Therefore, the biggest ransom payment ever recorded was made solely to prevent Dark Angels operators from publishing the stolen data.
The Dark Angels ransomware gang operates a leak site called 'Dunghill Leak' and typically focuses on high-value targets that can command large ransoms.
It represents a stark contrast to high-profile ransomware incidents of the past such as the infamous attack on Colonial Pipeline Co., which triggered fuel shortages in parts of the eastern U.S. The company paid a $4.4 million ransom to the now-defunct DarkSide ransomware gang, but law enforcement officials later seized $2.3 million of the payment.
Perhaps the biggest questions around the Dark Angels attack are why the victim organization paid a record-setting sum for an attack that did not cause any operational disruptions to the business, and what confidential information was contained in the 100 TB of stolen data.
Darren Williams, founder and CEO at cybersecurity vendor BlackFog, said the size of the payment indicates that Dark Angels obtained highly sensitive data within the 100 TB stolen from the victim organization. "It seems like they got more than just customer data," he said.
However, a threat analyst who wished to remain anonymous offered an alternative theory. "One of the things that you don't hear a lot about is that the stolen data in these ransomware attacks isn't as sensitive as you think," they said. "Sometimes ransomware gangs will come on strong and scare the decision-makers into paying before the victim can determine what data was actually stolen."
Therefore, the threat analyst said, it's possible that the massive size of the exfiltrated data made it difficult for the Fortune 50 company to fully verify what was stolen. The organization, which would have billions of dollars in annual revenue, might have simply made the $75 million payment as a matter of expediency, they said.
While many details remain a mystery, Stone-Gross said other ransomware and cybercriminal outfits have certainly taken note of Dark Angels' success and will likely try to replicate it.
"The way they operate is likely to catch on with some of the other groups, where instead of going after hundreds or thousands of companies, you go after these very high-value targets," he said. "And this data extortion and exfiltration threat is increasing because a lot of these groups realize that the data that some of these companies hold is extremely valuable, and companies will go to great lengths to protect that data."
The disclosure conundrum
The lack of details surrounding the $75 million ransom payment has raised questions about the effectiveness of U.S. disclosure laws in light of the SEC's new cybersecurity incident reporting rules. Under those rules, which went into effect in December 2023, public companies must disclose incidents via Form 8-K filings within four business days of determining that they might have a material impact on the organization.
George Gerchow, head of trust at MongoDB and a faculty member at IANS Research, said the $75 million ransom payment has illustrated several weaknesses with the SEC rules, which he supported and initially felt would have a positive effect on transparency. Part of the problem, he said, is that determining materiality is subjective, and organizations can make an argument that even serious breaches won't have significant impact on their stock price and are therefore not material.
"I think most companies have taken the ambiguity of it and shifted it in their favor," Gerchow said.
Stone-Gross agreed. "What we have seen is that now these companies are disclosing that they had an incident, but the disclosures are very vague, unfortunately," he said.
Paul Hastings LLP, a multinational law firm based in Los Angeles, published its "SEC Cybersecurity Incident Disclosure Report" last month, which reviewed 75 disclosures issued by 48 public companies between Dec. 18, 2023, and Oct. 31, 2024. The firm found that fewer than 10% of the disclosures included a description of the material impact.
An even bigger concern is that the SEC rules might be incentivizing companies to pay off attackers to keep data breaches quiet. "If you pay that ransom, you have almost a full guarantee that the data never gets exposed. So is it a material breach or not? All you have to do is pay the ransom," Gerchow said. "That's how those arguments are going right now."
Another issue is that companies are not required to disclose ransom payments, Stone-Gross said, even though they are generally viewed as a strong indicator of a disruptive attack. If a victim organization paid a sizable ransom, then it's likely because the attack disrupted business operations or attackers obtained highly sensitive data that could be extremely costly if exposed.
"Let's say there's health information that's stolen -- how do you put a price tag on that?" Stone-Gross said. "First, if your customers, or the patients, sue you, then that could be a lot more expensive than $75 million, so a big part of it is lawsuits. Also, if the executives at the company are proven to be negligent, then it sets them up for potential firings, further litigation and other risks."
Instead of disclosing payments, some organizations have included vague language in their 8-K filings regarding stolen data. For example, in 2023, Dish Network disclosed a ransomware attack in which threat actors encrypted the company's systems and also stole confidential data. In a breach notification letter, Dish said, "We are not aware of any misuse of your information, and we have received confirmation that the extracted data has been deleted," though the company did not confirm that it paid a ransom.
In the case of Cencora, the company's 8-K amendment included a vague but notable passage pertaining to the data stolen by attackers. The July 31 filing didn't state that the stolen data was destroyed, but said, "The Company has no evidence that any of the Data has been or will be publicly disclosed."
"What does that even mean?" Williams said.
If the victim organization in the Dark Angels attack was not Cencora, then the unnamed company has likely escaped making any significant disclosure. But if it was Cencora, then it means a major publicly traded company suffered a catastrophic breach but evaded disclosing damaging details, such as the $75 million payment and 100 TB of data stolen, all seemingly within the letter of the law.
"It's mind-blowing," Gerchow said of the situation.
What's additionally concerning for infosec professionals is that the SEC rules might benefit the attackers more than the public. For example, ransomware gangs have threatened to report victim organizations to the SEC if they don't give in to ransom demands, and in some cases the gangs have followed through with those threats.
As questions about the $75 million ransom payment persist, Gerchow said it's unlikely that companies will shift toward more transparency with the SEC's new disclosure requirement. "I feel like most companies right now aren't giving all the details, because they don't have to," he said. "It just doesn't have teeth."
Rob Wright is a longtime reporter and senior news director for Informa TechTarget's security team. He drives breaking infosec news and trends coverage. Have a tip? Email him.
