Unprecedented $75 Million Ransomware Payout: Lessons Learned and How to Protect Your Data

Recently, there has been alarming news on the ransomware front. It has become known that the highest known ransomware payout was made to a ransomware gang following a significant cybersecurity breach and evident ransomware attack. The news is troubling as it may well set a new trend in ransomware attacks that businesses everywhere should take note of. Let’s see what we can learn from the attack and what strategies organizations can use to protect their data.

What happened

In early 2024, news broke that there was an undisclosed victim of a ransomware attack who paid their attacker, the Dark Angels group, a reported $75 million ransom payment. This is a new record and the highest known ransomware payout in history. It also sets an extremely worrying trend in ransomware attacks – high-profile targets and high payouts.

There is much speculation regarding the victim. However, the victim could be a major undisclosed pharmaceutical company. Whatever the case, they were most likely a large organization that was strategically targeted. As part of a worrying trend, attackers are hand-picking and looking for high-value organizations that are likely to be able to come up with the large ransom payment demanded.

From what is currently known about this recent high-payout ransomware attack, the ransomware gang evidently knew what they were doing and carried out the attack in a sophisticated way. The successful attack shows that even large organizations with traditional security solutions in place can still fall victim to vulnerabilities and minor slips in security, such as an end-user falling for a phishing scam. It serves as a reminder of the devastating potential of ransomware attacks and the need for cutting-edge and modern cybersecurity measures.

The Dark Angels ransomware group

The Dark Angels ransomware gang has been around since at least May 2022. They seem to specialize in high-stakes ransomware attacks with big payouts. They are also known for their “Big Game Hunting” strategy. This is a type of attack targeting large corporations and then demanding significant ransom payouts. The group’s attacks involve meticulous planning and sophisticated deployment of malware. They can also use zero-day vulnerabilities to gain access to critical systems. Dark Angels use stolen data to pressure their victims to pay the ransom demanded.

Other recent attacks by Dark Angels ransomware gang:

• Nexperia: In April 2024, Dark Angels attacked Nexperia, a Dutch chipmaker, and stole 1 terabyte of data. This stolen information included sensitive client and production data. The group used the double extortion tactic of threatening to release sensitive data unless the ransom was paid.
• Johnson Controls: In September 2023, the Dark angels group attacked Johnson Controls. The group stole 27 terabytes of sensitive data and demanded a $51 million ransom. The stolen data included information linked to the U.S. Department of Homeland Security.

How Was the Attack Carried Out?

The exact details of this attack are not known. However, we do know the typical pattern followed by Dark Angels in past attacks. They usually use a method that has become known as “Big Game Hunting” where they target usually very large and financially capable organizations that will likely be able to pay the large ransom sums demanded.

Likely, the group infiltrated the victim network using common attack vectors like a phishing campaign, allowing them to gain a foot in the door. Once the network is breached, they move laterally across the network, attempting to escalate privileges, until finally they gain admin access to systems.

The group has been known to deploy Linux encryptor utilities, which makes sense, as the group is thought to be a resurrection of part of the groups behind Babuk and Ragnar Locker. Using ransomware encryptors, critical systems and data are encrypted. They are also known to go after backups to ensure data cannot be restored using legitimate means, forcing the hand of a ransom payment.

They typically use advanced obfuscation techniques and exploit zero-day vulnerabilities in software and applications. Undoubtedly, the $75 million attack was meticulously planned and carried out by highly-skilled threat actors.

Why Was the Ransom Demand So High?

There are several factors that may have contributed to the exorbitant ransom sum demanded. First, we can’t lose sight of the fact that the group is financially motivated. So, they are looking for large payments for victims they target. It is reported the victim in this case is a Fortune 50 company, so they likely have the financial means to pay such a large sum of money.

Cybercriminals usually understand their victims quite well as they are hand picked or targeted. Ransom demands are generally tailored based on the ability of the victim to pay the ransom amount. In this attack, the threat actors knew the victim had the means to pay the ransom amount to avoid significant disruption.

Also, it can depend on the content of the data that is stolen. If stolen data contains highly sensitive and critical data, the consequences for that data being leaked, lost, encrypted, or otherwise lost can be significant. The financial damages from the disruption can often be more costly than paying the ransom demanded. In this particular attack, Dark Angels made sure the victim saw paying the ransom as the lesser of two evils.

Timing can also weigh into the amount of the ransom. If an organization is in the middle of an important period such as during a product launch or a fiscal reporting period, the urgency to resolve interruptions to operations is heightened. This factor can lead to attackers demanding a much higher ransom.

How Could the High Payout Embolden More Cyberattackers?

The news of the Dark Angel’s record-setting attack and payout may set a dangerous precedent. It will likely embolden other attackers to go after similar high-reward targets. These are victims who will likely have the means and motivation to pay hefty ransom sums to gain access back to their data. We could well see an increase in ransomware attacks targeting these same types of large corporations.

Also, in regards to the tactics, it may lead to other ransomware gangs adopting similar sophisticated attacks. The extremely lucrative payout to Dark Angels will no doubt attract more individuals to engage in malicious cyber activities and escalate the threat landscape.

It also means more challenges and threats that cyber professionals will have to guard against in protecting critical data. In addition to implementing security best practices, organizations must adopt advanced security measures, comprehensive incident response plans, and be proactive about cybersecurity and not reactive.

SpinOne’s Ransomware Protection for Cloud SaaS Environments

SpinOne is a modern cybersecurity solution that provides critical protection for cloud SaaS environments. SaaS environments like Google Workspace, Microsoft 365, and Salesforce are used by organizations today for many day-to-day operations, including communication, collaboration, and productivity. Attackers are starting to target these SaaS environments as they realize businesses are pivoting over to these services.

SpinOne’s ransomware protection is second to none and provides one of the top SLAs in the industry for recovering from a ransomware attack in SaaS environments within 2 hours.

What is SpinOne Ransomware Protection?

SpinOne’s ransomware protection includes many features. It uses a combination of AI-driven threat detection and automated responses and executes quick recovery processes to protect your cloud SaaS platforms. It provides a fully automated cybersecurity incident response solution. Cybersecurity automation can identify, isolate, and mitigate ransomware threats in real-time, even recovering any affected data as part of the automated response.

How It Works

SpinOne’s ransomware protection continuously monitors cloud SaaS environments for signs of ransomware activity using advanced machine learning algorithms. When it detects a ransomware attack, it automatically blocks the source of the ransomware attack. It isolates and recovers affected files and then alerts admins of the attack and automated recovery operations. 

At the heart of the ransomware protection solution, SpinOne leverages its data backup and recovery capabilities. It incrementally backs up SaaS data using cloud-to-cloud backup so the data can be recovered quickly to a pre-attack state.

Using proactive threat detection and reliable recovery processes, SpinOne provides comprehensive ransomware protection and critical data protection.

Features:

• Automated threat detection – It uses AI and machine learning to detect and stop ransomware threats
• Backup and Recovery – It take incremental backups of SaaS data and then can efficiently recover data to the cloud
• Alerting – It provides immediate notifications to admins about possible threats and any automated actions taken
• Reporting – Spinone provides detailed reports that give you visibility to threats, response actions, and overall security
• Compliance – Organizations are helped to meet regulatory compliance requirements with Spin’s strong security and reporting capabilities
• User Behavior Analytics – It monitors user activities to detect behaviors that may indicate abnormal activity, such as a ransomware attack.
• Automated Incident Response: It executes response actions to contain and mitigate threats like ransomware

This latest high-profile news of the record-setting ransomware attack by Dark Angels emphasizes that organizations must take securing their critical data very seriously. These types of attacks are becoming more sophisticated and emboldened by the financial payouts. Modern and next-generation solutions like SpinOne must be adopted to protect cloud SaaS environments. Using SpinOne’s advanced threat detection and automated response mechanisms will help businesses safeguard their data and help make sure that business continuity is maintained by mitigating the impact of ransomware.