Record-Breaking $75M Ransomware Heist

In early 2024, a staggering $75 million ransom was paid by a Fortune 50 company to the Dark Angels ransomware gang, marking the highest known ransom ever paid. This unprecedented event, as reported by Zscaler ThreatLabZ, underscores the escalating sophistication and audacity of cybercriminals. But what can we learn from this heist, and how can we fortify our defenses?

The Anatomy of a Heist

Dark Angels, a ransomware group that emerged in May 2022, strategically targets high-value organizations, ensuring massive payouts by avoiding the typical “spray and pray” approach. They focus on breaching companies, moving laterally within their networks, and gaining administrative access. As mentioned in our podcast, “They breach organizations and then they move laterally throughout the organization to try to get administrative access” (Chris Abacon). This method includes encrypting VMware ESXi servers, raising critical questions about securing infrastructure against such sophisticated attacks.

Strengthening Cyber Defenses

The recent attack on ESXi servers highlights vulnerabilities that need addressing. Here are some measures organizations can take:

1. Implement Lockdown Mode: Configure your VMware environment to allow management only via the vCenter, preventing direct access to ESXi hosts. As Daniel Acevedo pointed out, “There is something called lockdown mode. So in VMware environments, you can configure it to allow management only via the vCenter itself, which would prevent any direct access to ESXi host itself.”
2. Restrict Unsigned Scripts: Disable the execution of unsigned scripts on ESXi hosts to prevent malicious encryptors from running. “You can restrict the unsigned scripts from running, disabling that will prevent unsigned scripts to execute on the ESXi host to prevent malicious executables such as encryptors from running on the host themselves” (Daniel Acevedo).
3. Segregate Sensitive Systems: Separate hosts containing sensitive systems, such as domain controllers, to limit the lateral movement of attackers. “Segregate the domain controllers from the ESXi’s. So that way, if they encrypt one, then they don’t get to encrypt your whole other environment that sits on it” (Daniel Acevedo).

The Need for Cybersecurity Talent

This incident also sheds light on a significant issue within our industry: the shortage of skilled cybersecurity professionals. The Dark Angels have demonstrated their prowess, akin to a well-oiled machine, operating with the efficiency and sophistication of a legitimate enterprise. They have vision statements, mission statements, and a clear understanding of their objectives.

As cybersecurity professionals, we must attract and retain talent capable of countering such threats. This involves breaking down barriers to entry, such as excessive certification requirements and gatekeeping, which hinder the influx of fresh talent. “How do you recruit this talent? You don’t gatekeep them is what you don’t do. Like to get a reasonable job in the current market you have to have a bajillion certifications, a bunch of degrees and decades of experience. The people on the other side of this don’t need any of that they just need to be good at what they do” (Ryan Williams Sr.).

Moving Forward

Organizations must recognize the importance of integrating cybersecurity into their business strategy. It’s not just an expense but an investment in the continuity and security of their operations. We must build security into our growth plans and ensure that cybersecurity is a fundamental aspect of our infrastructure.

As we navigate the challenges of 2024 and beyond, let’s focus on creating a robust cybersecurity ecosystem, fostering talent, and implementing best practices to safeguard our digital assets.

Together, we can make significant strides in protecting our organizations from the ever-evolving landscape of cyber threats.

Final Thoughts

As we wrap up this discussion, it’s crucial to emphasize the importance of proactive cybersecurity measures. Companies need to stay ahead of the curve by continuously updating their security protocols and investing in cybersecurity talent. “No, but I mean, you’re absolutely right. Because the thing is it’s always been hard regardless for IT and cyber to break through to the business level, to kind of have a seat at the table to show what the importance is until it’s dire” (Daniel Acevedo).

Let’s learn from this unprecedented attack and work towards a more secure digital future. Remember, cybersecurity is not just a necessity; it’s a critical investment in the longevity and success of our businesses.

Thank you for reading and stay tuned for more episodes of The Other Side of the Firewall podcast on Monday, Tuesday, Wednesday, and Fridays, as well as, the Ask A CISSP podcast every Thursday. Please like, share, and, subscribe.

Stay safe, stay secure!

Ryan is a retired Air Force veteran who brings over 20 years of experience in network infrastructure, project management, and cybersecurity consulting to his current role at BuddoBot. Buddobot’s mission is to support national security by transforming, empowering, and educating organizations to shift from reactive, diluted, automated, and high-cost IT and security practices to proactive, effective solutions that fortify their security.

Shannon, also a retired Air Force veteran, has more than two decades of expertise in network security and vulnerability management. He now serves as an Information System Security Officer (ISSO) for the U.S. Space Force, where he continues to enhance national security protocols.

Chris, a Navy veteran with over ten years in IT, information assurance, and risk management, currently works at CompliancePoint. His roles include vCISO, RMF assessor, and consultant, focusing on enhancing data security and privacy for various organizations.

Daniel is an Air Force veteran with over 15 years of combined experience in IT, cybersecurity, information assurance, and government risk compliance. He has held various roles, including IT administrator, cybersecurity engineer, senior information system security manager, and currently serves as a senior security consultant for Booz Allen Hamilton. In this latest role, Daniel leverages his expertise to address unique and complex challenges in the cyber and IT domains, enhancing his customers’ capabilities.