In early 2024, Dark Angels ransomware actors gained access to a large publicly traded U.S. company, exfiltrated an eye-popping 100 TB of corporate data and then extorted the company for a record-breaking $75 million ransom payment. But nearly a year later, the victim organization still hasn't disclosed the massive payment or the full scope of the attack.

News of the $75 million ransom payment to Dark Angels first emerged on July 29 when cybersecurity vendor Zscaler published its "ThreatLabz 2024 Ransomware Report." In the report, Zscaler said it discovered in early 2024 an organization that made an "unprecedented" payout to the Dark Angels ransomware gang. Blockchain analytics firm Chainalysis later confirmed that $75 million, the largest ransom payment ever recorded, was paid to Dark Angels.

The following day, Zscaler posted additional information on X, formerly Twitter, that added intrigue to the situation. "ThreatLabz has uncovered a record breaking $75 million payment made by a Fortune 50 company to the #DarkAngels ransomware group," the company wrote.

Zscaler did not name the company and has consistently declined to identify the victim organization. However, a Bleeping Computer report posited that the company could be Cencora, a pharmaceutical giant formerly known as AmerisourceBergen. The report noted that Cencora -- currently No. 18 on the 2024 Fortune Global 500 list with $262 billion in revenue -- suffered a cyberattack in February, which it disclosed in an 8-K filing with the U.S. Securities and Exchange Commission (SEC) on Feb. 27.

According to the filing, Cencora discovered on Feb. 21 that "data from its information systems had been exfiltrated, some of which may contain personal information." The company, which provides pharmaceutical distribution services for third-party drugmakers, said it commenced an investigation into the breach with "the assistance of law enforcement, cybersecurity experts and external counsel."

In an amendment to the 8-K filing on July 31, Cencora said it discovered that additional data had been exfiltrated by the attacker, including the personally identifiable information and protected health information of customers' patients. The amendment also stated there was no evidence the company's data "has been or will be publicly disclosed."

Notably, Cencora said the attack did not have a material impact on the company's operations and that its IT systems were fully operational. "The Company does not believe the incident is reasonably likely to materially impact the Company's financial condition or results of operations," the amendment stated.

Here are notable events in the Cencora breach, which might be connected to the $75 million ransom payment to the Dark Angels ransomware gang.

Cencora named On Sept. 18, Bloomberg News reported that, according to sources familiar with the situation, Dark Angels received the $75 million ransom payment for the Cencora attack and that the original demand was $150 million. According to Bloomberg, a Cencora representative declined to comment on the report and said the company does not respond to rumors or speculation. On the same day, an anonymous cryptocurrency researcher and investigator known as "ZachXBT" posted to X the details of three separate bitcoin transactions on March 7 and 8, allegedly made by Cencora to Dark Angels. The Cencora representative also told Bloomberg that the company stands by its public disclosures, including a quarterly earnings report in July that detailed costs associated with the February breach. Cencora's fiscal Q3 earnings report included $31.4 million in "other" expenses for the previous nine months ending on June 30, the majority of which were related to the breach. Brett Stone-Gross, director of threat intelligence at Zscaler, said numbers in SEC filings can be misleading, thanks to cyber insurance. "I've seen multiple companies that are publicly traded that have paid ransoms. I know there were large payments," Stone-Gross said. "I've looked at their SEC filings, and they've made statements that the breach cost them significantly less than what they paid in the ransom alone." Cencora states on its website that it "maintains cyber insurance," but it's unclear who the carrier is and what the policy entails. Informa TechTarget contacted Cencora for comment, but the company did not respond by press time. While Zscaler declined to identify the victim organization behind the $75 million ransom payment, Stone-Gross discussed the lack of transparency around the incident and the troubling trends it has illustrated.

'It was surprising' Zscaler had previously offered little information about the record-setting ransomware payment and the incident behind it. The "ThreatLabz 2024 Ransomware Report" contains just a few short sentences about the attack, and the company is tight-lipped about many details, including how Zscaler first discovered the payment. "Obviously, if we disclose how we obtain some information, we may potentially lose the ability to collect that information in the future," Stone-Gross said. But Zscaler provided some insights about the attack and payment, the most notable of which was that Dark Angels threat actors managed to exfiltrate approximately 100 TB of data from the organization. It takes a long time to steal that volume of data. And there's probably very few cases where you'd see terabytes of data leaving your network that are legitimate. That means that these large companies are failing to monitor their network. Brett Stone-GrossDirector of threat intelligence, Zscaler Stone-Gross said Dark Angels has proved to be adept at stealing significant amounts of sensitive data from victims. For example, in 2023, the ransomware gang encrypted the VMware ESXi virtual machines of Johnson Controls International, which produces building automation systems, and claimed to have stolen more than 27 TB of sensitive data. However, Stone-Gross said the 100 TB number is astounding. "If you think about it from a network and mathematics standpoint, they were stealing data over a period of weeks," he said. "It takes a long time to steal that volume of data. And there's probably very few cases where you'd see terabytes of data leaving your network that are legitimate. That means that these large companies are failing to monitor their network." Since the ThreatLabz report was published, Stone-Gross has seen an increase in the volumes of data stolen in extortion attacks. "I'm starting to see now more groups stealing terabytes of data, whereas if you look at last year, it was more like 50 GB, or maybe 100 GB in some rare cases," he said. Unlike other, more prolific ransomware gangs like LockBit and RansomHub, Dark Angels isn't a ransomware-as-a-service operation that outsources attacks to affiliate hackers. The Russian-speaking cybercriminal group has a dark web site under a different name, dubbed "Dunghill Leak," and doesn't have its own ransomware; Dark Angels has used variants of other ransomware such as Ragnar Locker. In a blog post in October, ThreatLabz researchers noted that since emerging in 2022, Dark Angels consistently steals vast amounts of data and -- prior to the $75 million payment -- prefers to avoid publicity. "Prior to this event, the group has largely remained in the shadows due to their modus operandi, which is quite different from most ransomware groups," the blog post said. Even with the alarmingly large amount of data stolen in this case, Zscaler ThreatLabz researchers were still taken aback by the size of the ransom payment. "It was surprising," Stone-Gross said. "What we've seen is an uptick in the size of payments. It's something that the Dark Angels group has been extremely successful with, as we mentioned in the report. And they have quite a unique approach to these breaches and how they operate." Part of that approach includes a shift toward pure data theft and extortion attacks, and away from traditional ransomware deployment. In addition, Dark Angels has focused on "big-game hunting," or the practice of targeting one high-value organization at a time and stealing large amounts of sensitive data that could command exorbitant ransoms. The $75 million payment was an exclamation point for those trends, and one could be cause for concern. Stone-Gross said that in this case, Dark Angels did not deploy ransomware in the victim organization's network. Therefore, the biggest ransom payment ever recorded was made solely to prevent Dark Angels operators from publishing the stolen data. The Dark Angels ransomware gang operates a leak site called 'Dunghill Leak' and typically focuses on high-value targets that can command large ransoms. It represents a stark contrast to high-profile ransomware incidents of the past such as the infamous attack on Colonial Pipeline Co., which triggered fuel shortages in parts of the eastern U.S. The company paid a $4.4 million ransom to the now-defunct DarkSide ransomware gang, but law enforcement officials later seized $2.3 million of the payment. Perhaps the biggest questions around the Dark Angels attack are why the victim organization paid a record-setting sum for an attack that did not cause any operational disruptions to the business, and what confidential information was contained in the 100 TB of stolen data. Darren Williams, founder and CEO at cybersecurity vendor BlackFog, said the size of the payment indicates that Dark Angels obtained highly sensitive data within the 100 TB stolen from the victim organization. "It seems like they got more than just customer data," he said. However, a threat analyst who wished to remain anonymous offered an alternative theory. "One of the things that you don't hear a lot about is that the stolen data in these ransomware attacks isn't as sensitive as you think," they said. "Sometimes ransomware gangs will come on strong and scare the decision-makers into paying before the victim can determine what data was actually stolen." Therefore, the threat analyst said, it's possible that the massive size of the exfiltrated data made it difficult for the Fortune 50 company to fully verify what was stolen. The organization, which would have billions of dollars in annual revenue, might have simply made the $75 million payment as a matter of expediency, they said. While many details remain a mystery, Stone-Gross said other ransomware and cybercriminal outfits have certainly taken note of Dark Angels' success and will likely try to replicate it. "The way they operate is likely to catch on with some of the other groups, where instead of going after hundreds or thousands of companies, you go after these very high-value targets," he said. "And this data extortion and exfiltration threat is increasing because a lot of these groups realize that the data that some of these companies hold is extremely valuable, and companies will go to great lengths to protect that data."