Previous Story
Massive Angler Exploit ransomware network shutdown by Cisco
Posted On Oct 08 2015
Comment: Off
The company said unnamed hackers used the Angler Exploit Kit to take advantage of vulnerabilities in common browser plugins, such as Flash and Java.
Researchers at a Cisco security unit have successfully interrupted the spread of a massive global exploit kit which is commonly used in ransomware attacks, holding user data hostage and demanding payment for its release.
Through July, they observed activity from one exploit server and one health monitoring server, which performed health checks on host machines and remotely erased log files on hosts.
Limestone maintains that it supported the spread of Angler unknowingly, and responded efficiently in aid of the Cisco investigation and the security of its users.
The company found that an inordinate number of proxy servers used by Angler were located on servers of hosting company Limestone Networks out of Dallas, Texas, with the main threat actor responsible for up to 50 percent of Angler Exploit Kit activity, targeting up to 90,000 victims a day, and generating more than $30 million annually. Cisco informed the cloud provider, Limestone Networks, of the malicious intent that a few of their servers were being put towards and they were immediate shut down.
The research effort also involved Level 3 Communications, which allowed Cisco to copy the authentication protocols the Angler criminals use for their interaction with their prey. The servers had been hired by cybercriminals using stolen payment details. While you may think ‘that’s the command-and-control server, ‘ actually it’s not.
“This is a significant blow to the emerging hacker economy where ransomware and the black market sale of stolen IP, credit card info and personally identifiable information are generating hundreds of millions of dollars annually”, Cisco stated in the blog post. “The proxy server is the system that users communicate with, allowing the adversary to quickly pivot and change while still shielding the exploit server from identification and exposure”.
