December 23, 2024

As cyberthreats continue to escalate in frequency and sophistication, ransomware attacks remain among the costliest and most damaging for businesses. An emerging ransomware strategy, dubbed “data ransom” or “big game hunting,” has been yielding massive payoffs for at least one ransomware gang, and should be on every organization’s radar.  

As first reported earlier this year, a low-profile but highly successful Russian cybercrime family called Dark Angels has been hammering large companies across industries with a targeted ransomware approach. Most famously, they are credited with extorting a record-shattering $75 million ransom from Fortune 50 pharmaceutical manufacturer Cencora, formerly AmerisourceBergen, back in February 2024.  

Dark Angels is also known for demanding a $51 million ransom from smart buildings technology manufacturer Johnson Controls in September 2023, after reportedly absconding with 27 TB of confidential data. In this instance, the attack included encrypting systems, leading to a $27 million remediation cost. 

Silent but deadly 

Unlike most ransomware outfits, which launch multiple unselective attacks while outsourcing much of the work to affiliates, Dark Angels’ data ransom methodology targets one large enterprise at a time and keeps all attack steps in-house. Once a victim is compromised, the attackers initially focus on exfiltrating terabytes of data—up to 100 TB, which would take weeks to transfer. Then they decide whether to encrypt systems to disrupt operations, or just quietly extort a ransom by threatening to publicly release massive data volumes.  

Zscaler ThreatLabz recently named Dark Angels the world’s top ransomware threat, echoing the attention that other cybercriminals are no doubt paying to this organization and its tactics. As Zscaler put it, “…targeting a small number of high-value companies for large payouts is a trend worth monitoring.”  

Few ransomware groups use Dark Angels’ tactic of foregoing business disruption and shunning public recognition for their successes. As a result, the group has been highly successful taking down major corporations while attracting little attention from security researchers—until now. 

Researchers predict that stealing huge volumes of data and then extorting a heavyweight payment for not releasing it will increase in significance among ransomware attacks due to Dark Angels’ success and the size of their payouts. According to Sophos’ The State of Ransomware 2024 report, the average ransomware payout has already increased 500% since 2023, from $400,000 to $2 million.  

Do customers face the most risk from data ransom attacks?

Putting the Cencora ransom payment in perspective, the company’s revenues are over $250 billion annually. They make $76 million in a few hours. The company asserted in its SEC breach disclosure filing that the attack would not materially impact their finances.  

But what about their customers? The data stolen from Cencora was reported to contain sensitive personal and health data like names, addresses, birthdates, medical diagnoses, and prescriptions used. Whether Dark Angels actually deleted the stolen records or will disclose or otherwise misuse them at a later point is unknown. This puts Cencora customers at risk of identity theft, fraudulent purchases, malicious account usage, blackmail/extortion, and other potential crimes. 

What organizations are most at risk for data ransom attacks? 

Dark Angels and other big game hunters target a wide range of industries. What most characterizes their victims are deep pockets and large data volumes. Only enterprises that have leaked huge amounts of sensitive data and strongly want to avoid negative publicity are likely to pay multi-million-dollar ransoms.  

Some of the most common victims of big game hunting or data ransom attacks include: 

  • Fortune 1000 corporations 
  • Banks and other financial services companies 
  • Healthcare organizations 
  • Utilities 
  • Educational institutions 
  • Technology companies and other manufacturers 
  • Telecommunications firms 
  • Large government agencies 
  • Other organizations with significant income, valuable intellectual property and/or other highly sensitive data 

How can my company defend against data ransom attacks? 

To infiltrate victims’ networks, Dark Angels and other sophisticated attackers rely on tried-and-true tactics like phishing emails, compromised credentials, unpatched known vulnerabilities in third-party software (e.g., Microsoft Windows, Oracle WebLogic), and common web application vulnerabilities like security misconfigurations, open cloud storage, and broken access controls. 

Having gained network access, an attacker must move laterally across systems and successfully escalate privileges to compromise an administrator level account and control sensitive data. Exfiltrating terabytes of data requires days or even weeks to complete, giving defenders a chance to spot the exploit if they are looking.  

The top steps companies should take now to protect against all forms of ransomware attack include: 

  • Segmenting networks and otherwise applying zero trust principles to limit attackers’ lateral movement. 
  • Using multifactor authentication (MFA) to reduce risk from stolen application credentials. 
  • Enforcing least privilege policies to reduce risk from stolen administrator credentials. 
  • Monitoring network traffic to identify indicators of compromise (IoCs), such as large outgoing data transfers from network file storage, virtual servers, etc. 
  • Patching systems to fix known vulnerabilities before attackers can exploit them. 
  • Leveraging threat detection and response technology to identify and alert on suspicious network activity and protect endpoints. 
  • Using traditional anti-malware tools to detect and automatically block known ransomware signatures. 
  • Enforcing a strong password policy to reduce risk from reused and easily guessable passwords. 
  • Exposing staff to ongoing cybersecurity awareness training to reduce phishing risk. 
  • Conducting routine penetration tests to identify and rank vulnerabilities and gauge the overall effectiveness of your cybersecurity posture. 
  • Implementing and regularly testing a backup/restore process that protects sensitive data from unauthorized encryption with secure, offsite storage. 
  • Implementing a disaster recovery process to accelerate recovery and minimize damage from cyberattacks. 
  • Keeping senior leadership informed about the company’s cybersecurity posture and cyber risk mitigation strategies.  

While this list might seem overwhelming, these capabilities are table stakes for modern organizations that hold sensitive data to stay competitive, build stakeholder trust, and mitigate unacceptable reputational and business continuity risk from ransomware and other cyberthreats. Compliance with trusted cybersecurity and privacy control frameworks like ISO 27001, CMMC, or GDPR requires a similar level of commitment. 

What’s next? 

CBIZ Pivot Point Security has extensive experience helping organizations of all types and sizes to establish and maintain best-practice controls that mitigate threats and protect sensitive data from ransomware and other cyberattacks. We work closely with client teams to evaluate the control effectiveness, ensure alignment with relevant regulations, and create management systems and strategies that enable your organization to proactively manage its ever-evolving cybersecurity and privacy risks. 

Contact us today to discuss your business goals and questions with a cybersecurity expert.