$75 Million Ransomware Payment Exposed in New Zscaler Report

One of the largest ransomware payouts that’s become public was reported Tuesday by cloud security firm Zscaler.

The US$75 million payment made to the Dark Angels ransomware group was discovered by Zscaler’s security research arm ThreatLabz earlier this year, according to the company’s annual ransomware report, which covers a period from April 2023 to April 2024.

Zscaler did not disclose the name of the company that paid the ransom.

“Dark Angels operates differently than most other ransomware groups,” observed Zscaler’s Director of Threat Intelligence Brett Stone-Gross.

“Instead of outsourcing attacks to affiliates, they’re launching the attacks and doing it at a much smaller scale,” he told TechNewsWorld. “Instead of targeting dozens or hundreds of companies, they’re going after very large companies one at a time.”

The group also departs from the modus operandi of most of its peers in another way. “They steal a large amount of data, but they want to avoid business disruption,” Stone-Gross said. “They want to stay out of the headlines because it reduces the amount of scrutiny they will get from law enforcement and researchers.”

The Dark Angels ransomware group’s strategy of targeting a small number of high-value companies for large payouts is a trend worth monitoring, the report noted.

Zscaler ThreatLabz predicted that other ransomware groups will take note of Dark Angels’ success and may adopt similar tactics. To maximize their financial gains, they will focus on high-value targets and increase the significance of data theft.

Data theft has already become part of the game plan of many ransomware actors, added Steve Stone, head of Zero Labs at Rubrik, a global data security and backup software company. “Ransomware actors aren’t just encrypting environments and asking for a ransom,” he told TechNewsWorld. “They’re doing that and stealing data so they can make an extortion demand. It’s effectively a double ransom.”

Growing Menace

Zscaler also reported that the number of ransomware attacks blocked by its cloud increased by 17.8% during the reporting period, and the number of extorted companies on data leak sites grew by 57.8% in the same period, despite numerous law enforcement operations, including the seizure of infrastructure, arrests, criminal indictments, and sanctions.

Chris Morales, CISO at Netenrich, a security operations center services provider in San Jose, Calif., identified several factors contributing to the growth of ransomware. They include expanded attack surfaces due to remote work and cloud adoption, more sophisticated ransomware attacks often involving data exfiltration and the democratization of attack tools through ransomware-as-a-service.

“We’re also seeing larger-scale breaches affecting millions of users at once,” he told TechNewsWorld. “This surge not only highlights the urgent need for a paradigm shift in security operations, but it also underscores the need for immediate action, moving towards more proactive, data-driven strategies.”

“We expect breaches and ransomware attacks to continue increasing in the second half of 2024, especially targeting healthcare, manufacturing, critical infrastructure, and supply chains,” added Stephen Kowski, field CTO at SlashNext, a computer and network security company in Pleasanton, Calif.

“Recent high-profile incidents, such as the health care and car dealership vendor hacks, highlight the ongoing vulnerabilities,” he told TechNewsWorld. “To combat this, organizations need to focus on strengthening email security, implementing zero-trust architectures, and improving threat detection and response capabilities.”

Top Sector Targets

Manufacturing, health care, and technology were the top sectors targeted by ransomware attacks, according to the report, while the energy sector experienced a 500% year-over-year spike as critical infrastructure and susceptibility to operational disruptions make it particularly attractive to cybercriminals.

Among the top targets for cyber extortion, manufacturing led the pack. It was targeted more than twice as much as any other industry.

“Many manufacturing organizations have been around for a long time, and there’s a lot of legacy habits that do not serve them well when it comes to ransomware,” noted Stone of Zero Labs.

Marcus Fowler, CEO of Darktrace Federal, a global cybersecurity AI company, explained that critical infrastructure providers and manufacturing companies are increasingly pursuing information technology and operational technology convergence as the data collection and analysis benefits can dramatically improve production efficiency, maintenance, and scaling.

“With IT/OT convergence expanding attack surfaces, security personnel have increased workloads that make it difficult to keep pace with threats and vulnerabilities,” he told TechNewsWorld.

“The manufacturing industry has been undergoing significant digitization in order to become more agile and efficient,” added Rogier Fischer, CEO of Hadrian, the maker of an automated, event-based scanning solution in Amsterdam.

“The downside is that processes that were effectively air-gapped are now connected to corporate IT systems,” he told TechNewsWorld. “The interconnectivity of OT and IT environments, along with the historically less cyber-aware manufacturing industry, makes the sector an attractive target.”

Need for Zero Trust

Zscaler’s Chief Security Officer Deepen Desai maintains that ransomware defense remains a top priority for CISOs in 2024. “The increasing use of ransomware-as-a-service models, along with numerous zero-day attacks on legacy systems, a rise in vishing attacks, and the emergence of AI-powered attacks, has led to record-breaking ransom payments,” he said in a statement.

“Organizations must prioritize zero trust architecture to strengthen their security posture against ransomware attacks,” Desai added.

Fischer noted that zero trust is part of a mindset shift. “It’s going from the reactive ‘how can I detect an attack underway’ or ‘how can I respond to an incident’ to a proactive ‘how can I keep bad actors out.’ Zero trust and offensive security principles help organizations mitigate cyber risk proactively.”

Cybersecurity prioritization and investment before a cybercriminal strike is critical for organizations of all sizes, added Anne Cutler, a cybersecurity evangelist at Keeper Security, a password management and online storage company in Chicago.

“A zero-trust security model with least privileged access and strong data backups will limit the blast radius if a cyberattack occurs,” she told TechNewsWorld. “Additionally, strong identity and access management on the front end will help prevent the most common cyberattacks that can lead to a disastrous data breach.”

However, Steve Hahn, executive vice president for the Americas of BullWall, a provider of ransomware containment, protection, and mitigation solutions in Denmark, cautioned that while zero trust will certainly lessen the chances of an attack, the journey is typically very long for customers and still not a silver bullet.

“Zero-day attacks, shadow IT, personal devices, IoT devices, these are all attack vectors for ransomware,” he told TechNewsWorld, “and once the encryption begins at the shared drives, whether those are cloud or local, it’s only a matter of time before all of the data is encrypted, even with zero-trust network architecture in place.”