Hacking Group Dark Angels Steals $75 Million In Biggest Crypto Ransom Attack Ever

The Pennsylvania-based drug distributor Cencora fell victim to this unprecedented cyber assault, resulting in a staggering $75 million ransom payment made in Bitcoin, according to a recent report by Zscaler ThreatLabz.

Bloomberg first broke the news on Wednesday, revealing the scale of this digital heist that has set a new and troubling benchmark in the realm of cybercrime. The attack, which occurred in February this year, culminated in Cencora making three separate Bitcoin payments to the attackers in March.

Dark Angels, believed to be a Russian-based cybercrime syndicate, has been active since 2021. The group has gained notoriety for targeting a wide range of sectors, including healthcare, finance, government, and education and their modus operandi differs to most ransomware groups. According to Zscaler “the Dark Angels group employs a highly targeted approach, typically attacking a single large company at a time. This is in stark contrast to most ransomware groups, which target victims indiscriminately and outsource most of the attack to affiliate networks,”

This novel strategy has proven highly effective, as evidenced by the group’s previous high-profile attacks, including a $51 million demand from international conglomerate Johnson Controls in 2023.

Cencora first acknowledged the breach in a July regulatory filing, describing it as a “material cybersecurity incident” discovered in February. The company revealed that the exfiltrated data included personally identifiable information (PII) and protected health information, primarily maintained by a subsidiary providing patient support services.

CFO James F. Cleary stated in the filing, “The Company believes it has contained the incident, and the Company has undertaken remediation efforts, which are ongoing.” He also expressed confidence that the incident was not likely to materially impact the company’s financial condition, despite the enormous ransom payment.

While the Dark Angels attack was a record breaker, it has had no impact on the Cencora share price. Source: Yahoo Finance

Publically traded on the NYSE, Cencora Inc (COR) has a market capitalization of around $45 billion. Information from Yahoo Finance shows the company’s share price is up around 30% in the last 12 months and is a strong ‘buy and hold’ stock according to most analysts. While $75 million is one for the record books in terms of crypto ransoms paid, it is only 1.38% of Cencora’s average weekly revenue of around $5.5 billion.

The initial ransom demand from Dark Angels was an  $150 million, which would have dwarfed the previous record of $40 million paid by CNA Financial Corp in 2021 by 275%. While Cencora managed to negotiate this down to $75 million, the final figure still represents a quantum leap in the scale of ransomware payouts.

In response to the attack, Cencora has initiated collaborations with cybersecurity experts to bolster its IT systems and prevent future unauthorized access. However, the company has been tight-lipped about the specifics of the Bitcoin transactions used to pay the ransom.

Blockchain investigator ZachXBT took to social media platform X to share what he believes are the on-chain payments made to Dark Angels. “I think it’s a bad look when a large publicly traded company like Cencora does not share the BTC transactions for the $75M payment to Dark Angels ransomeware [sic] group so I will just post it for them,” he wrote.

The Dark Angels attack on Cencora is not an isolated incident but part of a troubling trend in the cybersecurity landscape. Blockchain research firm Chainalysis has estimated that over $449 million was lost to ransomware attacks in the first half of 2024 alone, putting the world “firmly on track for the worst year on record” in terms of ransomware-related losses.

The stolen data from Cencora includes sensitive client information such as names, addresses, dates of birth, diagnoses, and prescriptions. The full extent of the data breach and the number of affected individuals remain unclear, as does the question of whether Dark Angels has deleted the stolen information as promised.