The Dark Angels ransomware group is a highly sophisticated threat actor that has emerged as a significant player in the cybercrime landscape. Known for its targeted attacks, substantial ransom demands, and advanced technical capabilities, Dark Angels has demonstrated a remarkable ability to compromise even the most well-defended organizations.

Dark Angels is believed to be a Russia-based cybercrime syndicate whose distinguishing characteristic is stealing truly staggering amounts of data from major companies across multiple sectors, including healthcare, finance, government, and education. For large businesses, the group has exfiltrated between 10-100 terabytes of data, which can take days or weeks to transfer.

The group's toolset includes custom-developed malware and exploits that allow them to bypass traditional security measures and gain unauthorized access to victim networks. Dark Angels is particularly adept at exploiting vulnerabilities in VMware ESXi servers, which has enabled them to target a wide range of organizations, including critical infrastructure providers and government agencies.

In addition to their technical prowess, Dark Angels has also demonstrated a high level of operational sophistication. The group is known for its ability to conduct extensive reconnaissance, identify valuable targets, and execute attacks with precision. This level of organization and planning has contributed to their success in extorting large ransoms from their victims.

Analysis and Lessons Learned

The recent attack on a Fortune 50 company by the Dark Angels ransomware group offers valuable insights into the evolving threat landscape and the challenges organizations face in protecting their sensitive data. Here are some key takeaways from the incident:

Perimeter Defenses Failed to Prevent Initial Compromise

Despite having a sophisticated security infrastructure, the targeted company was unable to prevent Dark Angels from gaining initial access. This highlights the limitations of perimeter defenses such as Next-Generation Firewalls (NGFWs) and Secure Access Service Edge (SASE)/Secure Service Edge (SSE) in today's complex threat environment.

Dark Angels Successfully Evaded Detection

The ransomware group was able to bypass multiple security layers, including Intrusion Detection Systems (IDPS), threat detection/behavioral analysis tools, Data Loss Prevention (DLP) solutions, and Endpoint Detection and Response (EDR) systems. This suggests that Dark Angels possesses advanced techniques and tools that allow them to evade detection and operate undetected within networks for extended periods.

Critical Assets Were Inadequately Protected

The ability of Dark Angels to extract high-value assets without disrupting the target company's operations indicates that critical systems and data were insufficiently protected. This highlights the need for organizations to prioritize the protection of sensitive assets and ensure that they have adequate controls in place to prevent unauthorized access and exfiltration.

Lessons Learned

• Invest in Advanced Threat Detection and Response: Organizations should consider adopting advanced threat detection and response technologies, such as artificial intelligence and machine learning-based solutions, to identify and mitigate sophisticated attacks.
• Prioritize Data Protection: Sensitive data should be identified, classified, and protected using a combination of technical, administrative, and physical controls.
• Conduct Regular Security Assessments: Regular security assessments can help identify vulnerabilities and weaknesses in an organization's security posture.
• Implement Strong Incident Response Plans: Having a well-defined incident response plan can help organizations respond effectively to security breaches and minimize the impact of attacks.

Additional Note

Security firm Zscaler ThreatLabz has ranked Dark Angels as the top ransomware threat for 2024, noting that in early 2024 a victim paid the ransomware group $75 million — higher than any previously recorded ransom payment. This underscores the significant threat posed by Dark Angels and the importance of taking proactive measures to protect against their attacks.

Furthermore, according to Sophos' State of Ransomware report, the average ransomware payment has increased fivefold in the past year, from $400,000 in 2023 to $2 million. This trend highlights the growing profitability of ransomware attacks and the need for organizations to prioritize cybersecurity measures. Additionally, the report found that in more than four-fifths (82%) of cases funding for the ransom came from multiple sources, with 40% of total ransom funding coming from the organizations themselves and 23% from insurance providers. These findings emphasize the importance of a comprehensive approach to ransomware prevention and mitigation.