Previous Story
Cisco Takes Down $60 Million Worldwide Hacker Operation
Posted On Oct 07 2015
Comment: Off
Talos manager Craig Williams suggested that the research and consequent action will be “really damaging” to the attackers’ network, adding that since Limestone cut the criminal servers, the rate of Angler infections had had fallen dramatically.
By knowing the protocols security companies will be able to cut off infected computers easily, Cisco said.
Researchers at a Cisco security unit have successfully interrupted the spread of a massive global exploit kit which is commonly used in ransomware attacks, holding user data hostage and demanding payment for its release.
During its research, Cisco “found that a large amount of Angler activity was focused with a single hosting provider, Limestone Networks”, and worked with the Dallas-based company to “gather a few previously unknown insight into Angler”.
Often sold in clandestine Internet forums or in one-to-one deals, exploit kits combine many small programs that take advantage of flaws in Web browsers and other common pieces of software.
To block the attacks, Talos updated products to prevent redirects to the Angler proxy server and patched the vulnerabilities Angler used.
One primary actor is responsible for 50 percent of Angler’s activity, and making over $30 million per year from ransomware alone, according to researchers, who therefore estimate that Angler overall could be generating $60 million from ransomware. There is a single exploit server that is responsible for serving the malicious activity through multiple proxy servers. “This implies that if you apply the full scope of Angler activity the revenue generated could exceed $60M annually”. The servers had been hired by cybercriminals using stolen payment details.
“This is a significant blow to the emerging hacker economy where ransomware and the black market sale of stolen IP, credit card info and personally identifiable information are generating hundreds of millions of dollars annually”, Cisco stated in the blog post. “It’s just an intermediary between the proxy servers and the real command-and-control or exploit server”.
