Cisco researchers recently announced that they’d disrupted a significant revenue stream generated by the Angler Exploit Kit, which has been used to distribute a wide variety of malware, including several high-profile ransomware campaigns.
“In its research, Cisco determined that an inordinate number of proxy servers used by Angler were located on servers of service provider Limestone Networks with the primary threat actor responsible for up to 50 percent of Angler Exploit Kit activity, targeting up to 90,000 victims a day, and generating more than $30 million annually,” Cisco Talos Security Intelligence and Research Group threat researcher Nick Biasini wrote in a blog post.
As a result, Biasini noted, it’s reasonable to assume that the full scope of Angler activity likely generates more than $60 million a year.
Cisco took the following actions to disrupt Angler:
- Shutting down access for customers by updating products to stop redirects to the Angler proxy servers
- Released Snort rules to detect and block checks from the health checks
- All rules are being released to the community through Snort
- Publishing communications mechanisms including protocols so others can protect themselves and customers
- Cisco is also publishing IoCs so that defenders can analyze their own network activity and block access to remaining servers
- Contacted affected hosting providers to shut down malicious servers
“Limestone Networks’ hosting environment was responsible for a large percentage of Angler activity,” Biasini wrote. “Now, with the help of Talos, they are currently no longer being used as hosting provider by Angler customers, and we were able to develop the coverage necessary to block the back-end communication, dealing a significant blow to Angler’s ability to compromise users.”
Authentic8 CEO and co-founder Scott Petry told eSecurity Planet by email that it’s worth noting that ransomware is generally designed to be stealthy. “This isn’t the old days where viruses were intended to make headlines,” he said. “Ransomware has to be invisible to users and even IT. This is why zero day vulnerabilities are so dangerous. Ransomware sits and watches, then encrypts as many files as possible before revealing itself and demanding a ransom.”
“Instead of asking for unreasonable amounts, savvy criminals ask for small amounts, like $300,” Petry added. “Most businesses will choose to pay rather than risk losing data, incurring more costs from recovery, or having the incident made public (which is incredibly embarrassing for law enforcement and government).”
A KnowBe4 survey last year of more than 300 IT professionals found that 73 percent of respondents said they’re very or extremely concerned about the impact of ransomware. And while most respondents said they’d try to use backed up data to avoid paying a ransom, 57 percent admitted they would pay the ransom if their backup failed.