Security Experts:

Connect with us

Hi, what are you looking for?


Tracking & Law Enforcement

Cisco Disrupts Major Ransomware Operation Powered by Angler EK

Cisco says it has caused significant damage to the operations of a cybercriminal group that might have made millions of dollars using ransomware distributed with the aid of the notorious Angler exploit kit.

Cisco says it has caused significant damage to the operations of a cybercriminal group that might have made millions of dollars using ransomware distributed with the aid of the notorious Angler exploit kit.

Working with Level 3 Threat Research Labs and recently acquired DNS services provider OpenDNS, Cisco managed to gain new insight into Angler EK activity, including scale, management and data flow.

Attackers have used a single exploit server in their operations and since it’s important to keep this server shielded, the exploits are served through numerous proxies. Cybercriminals have also relied on a health server that monitors proxy servers and collects information on infected hosts.

According to Cisco, the threat actor whose operations have been targeted are responsible for up to 50 percent of all Angler exploit kit activity.

The cybercrooks are believed to have served exploits to roughly 9,000 unique IP addresses per day from each of their 147 proxy servers. Previous research conducted by the networking giant showed that roughly 40 percent of such attempts are successful, which results in approximately 529,000 systems compromised over the course of one month.

In order to calculate the attackers’ potential profit, Cisco took into account findings from previous research which indicate that around 62 percent of Angler infections deliver ransomware, with an average ransom of $300 demanded from each victim. According to a study conducted by Symantec, 2.9 percent of ransomware victims pay up, which means this cybercrime group could be making $3 million per month or well over $30 million annually, Cisco said.

Cisco managed to strike a significant blow to the operation after noticing that many of the proxy servers used by the attackers were hosted at Dallas-based cloud hosting services provider Limestone Networks. The company has not only shut down the malicious servers, but it has also allowed Cisco to gain insight into this Angler operation.

The investigation revealed that the attackers purchased 815 servers from Limestone over a one week period using stolen payment cards. This continued gradually until the malicious actors managed to build their server infrastructure. While it might seem that Limestone also benefited from this, the company says it actually lost $10,000 each month due to the malicious activity because the individuals whose payment cards were abused requested chargebacks once they discovered the fraud.

Cisco has also reached out to other hosting providers whose services have been abused, including the German company Hetzner.

In addition to shutting down the malicious servers, Cisco released Snort rules to detect and block checks conducted by the health servers, and published indicators of compromise (IoC) and communication mechanisms to help others protect themselves.

“This is a significant blow to the emerging hacker economy where ransomware and the black market sale of stolen IP, credit card info and personally identifiable information (PII) are generating hundreds of millions of dollars annually,” Cisco said.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...


The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


The owner of China-based cryptocurrency exchange Bitzlato was arrested in Miami along with five associates in Europe


Russian Vladislav Klyushin made tens of millions of dollars by hacking into U.S. computer networks to steal insider information.


A hacker who reportedly posed as the CEO of a financial institution claims to have obtained access to the more than 80,000-member database of...


Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...