Cisco Disrupts Major Ransomware Operation Powered by Angler EK

Cisco says it has caused significant damage to the operations of a cybercriminal group that might have made millions of dollars using ransomware distributed with the aid of the notorious Angler exploit kit.

Working with Level 3 Threat Research Labs and recently acquired DNS services provider OpenDNS, Cisco managed to gain new insight into Angler EK activity, including scale, management and data flow.

Attackers have used a single exploit server in their operations and since it’s important to keep this server shielded, the exploits are served through numerous proxies. Cybercriminals have also relied on a health server that monitors proxy servers and collects information on infected hosts.

According to Cisco, the threat actor whose operations have been targeted are responsible for up to 50 percent of all Angler exploit kit activity.

The cybercrooks are believed to have served exploits to roughly 9,000 unique IP addresses per day from each of their 147 proxy servers. Previous research conducted by the networking giant showed that roughly 40 percent of such attempts are successful, which results in approximately 529,000 systems compromised over the course of one month.

In order to calculate the attackers’ potential profit, Cisco took into account findings from previous research which indicate that around 62 percent of Angler infections deliver ransomware, with an average ransom of $300 demanded from each victim. According to a study conducted by Symantec, 2.9 percent of ransomware victims pay up, which means this cybercrime group could be making $3 million per month or well over $30 million annually, Cisco said.

Cisco managed to strike a significant blow to the operation after noticing that many of the proxy servers used by the attackers were hosted at Dallas-based cloud hosting services provider Limestone Networks. The company has not only shut down the malicious servers, but it has also allowed Cisco to gain insight into this Angler operation.

The investigation revealed that the attackers purchased 815 servers from Limestone over a one week period using stolen payment cards. This continued gradually until the malicious actors managed to build their server infrastructure. While it might seem that Limestone also benefited from this, the company says it actually lost $10,000 each month due to the malicious activity because the individuals whose payment cards were abused requested chargebacks once they discovered the fraud.

Cisco has also reached out to other hosting providers whose services have been abused, including the German company Hetzner.

In addition to shutting down the malicious servers, Cisco released Snort rules to detect and block checks conducted by the health servers, and published indicators of compromise (IoC) and communication mechanisms to help others protect themselves.

“This is a significant blow to the emerging hacker economy where ransomware and the black market sale of stolen IP, credit card info and personally identifiable information (PII) are generating hundreds of millions of dollars annually,” Cisco said.