Cisco Talos Thwarts Massive Ransomware Campaign Netting $30M+ Annually

Cisco Talos managed to disrupt a major ransomware campaign that researchers believe netted a hacker more than $30 million per year. The team determined that the Angler Exploit Kit used proxy servers of service provider Limestone Networks with the primary threat actor responsible for up to 50 percent of Angler Exploit Kit activity, according to a report on the Talos website. The attackers targeted as many as 90,000 victims per day.

Talos gained visibility into the network’s global activity through a collaboration with Level 3 Threat Research Labs. Thanks to this collaboration, the researchers were able to gain visibility into the attackers’ domain activity, Talos noted.

The disruption marks a victory in efforts to eliminate the Angler Exploit Kit, which is considered one of the most sophisticated kits available, according to an analysis on

Unique IP Addresses Seen By Hour Angler Proxy Server.
Unique IP Addresses Seen By Hour Angler Proxy Server.

Team Thwarts Angler Exploit Kit

There was a total of 17 unique ASNs observed in the month, according to Talos. Among these, Hetzner and Limestone Networks were responsible for almost three-quarters of the total volume for the month. These two providers appeared at first to handle most of the Angler infections. But when the data was plotted against the unique IP addresses, a different story emerged.

Almost three-quarters of the exploits that were served to users were Adobe-Flash-related. This outcome was expected with two Adobe Flash 0days Angler leveraged during the month. But the
remaining two exploit groups were surprising. The Internet Explorer vulnerability CVE-2014-6332 accounted for a little more than 20% of the infections and was the second largest group.

Most surprising was the final group; Silverlight vulnerabilities were served to about 2% of the users.

The three exploit classes that Angler leveraged were Flash, IE and Silverlight. Talos noted the omission of Java was shocking. Historically, most exploit kits have exploited Java since there is significant user pool running older Java versions.

Limestone Teams With Talos

Limestone provided Talos with disk images of the servers that carried out the activity. The researchers were then able to get a better idea of the campaign’s scope and scale, including how the attacker was monetizing the malware. Working together, Limestone and Talos were able to take the servers offline.

Breakdown of User Agent Activity Seen.
Breakdown of User Agent Activity Seen.

The attacker relied on a proxy/server setup, by which one exploit server directs multiple proxy servers. This allowed the attacker to change the malware and prevent the attacker from getting caught. Talos observed one server connecting to 147 other proxy servers that obscured malicious traffic over 30 days.

Angler ultimately compromises 40 percent of users hit with exploits, according to Talos. Each of the 147 servers compromised 3,600 users; 529,000 systems over the course of the month. If around three percent of users paid the ransom, this attacker netted $3 million a month, or $34 million a year. The researchers predict Angler could have raked in $60 million annually had they not halted the campaign.

In one day, Talos found 9,000 unique IP addresses with around 3,600 compromised users. The average amount per user that pays the ransom is $300, delivering more than $34 million annually. cisco

The “smoke and mirrors” proxy/server technique is still in the developmental stages, according to Dan Hubbard, CTO of OpenDNS (recently acquired by Cisco), but it can be effective until the servers are dismantled.

Hubbard noted that criminals can build proxy networks that allow them to scale linearly, similar to a CDN or real web service. They can remove these proxies without affecting service. This technique also allows them to obscure their real infrastructure.

According to OpenDNS, the campaign used 15,000 unique sites to push Angler. Sixty percent of the infections delivered either CryptoWall 3.0 or TeslaCrypt 2.0 to its victims.

Also read: Cisco Talos Warns against Windows 10 Ransomware Spam Campaign

Targets: Adobe Flash And IE

Users running unpatched versions of Adobe Flash and Internet Explorer were common targets, particularly those who navigated to adult websites and obituary websites frequently. The attacker used obituary websites as a means to target the elderly, according to Talos. Conventional wisdom holds the elderly are more likely to use unpatched versions of IE and be susceptible to ransomware.

Angler Has Expanded

Angler was first identified back in 2013 and has grown over the past 12 months.

The kit began using a technique in March called domain shadowing, whereby attackers use stolen domain registrant credentials to build lists of subdomains to redirect victims to, to attack sites, or to serve as hosts for malicious payloads.

The kit added CryptoWall 3.0 in May and added new Flash vulnerabilities in 2015 —one in January, May, and one in July, just after the Hacking Team breach was reported.

Images from Shutterstock.

Lester Coleman is a veteran business journalist based in the United States. He has covered the payments industry for several years and is available for writing assignments.