Angler ransomware gang stopped in their tracks by Cisco

Sales of Mercedes and BMWs in Russia to fall...

Networking giant Cisco claims to have struck a blow against a cyber-crime gang that was using the Angler Exploit Kit in a ransomware campaign. At one point, the gang had been making more than $60m a year from the scam.

Cisco's Talos security unit suggests that it was able to disrupt the activities of the group after finding that "an inordinate number of proxy servers used by Angler were located on servers of service provider Limestone Networks", which is based in the US.

The infrastructure-as-a-service provider was unaware that its services were being used for criminal activities. Cisco claims that the "primary threat actor" behind the campaign was responsible for more than half of cyber-crime activity using the Angler Exploit Kit.

Cisco's action included:

• Shutting down access for customers by updating products to stop redirects to the Angler proxy servers;
• Releasing rules for the open-source intrusion prevention system Snort to detect and block queries from the "health checks" the Angler servers use to communicate with infected PCs;
• Releasing all the new rules to the security community through Snort;
• Publishing Angler EK's communications mechanisms, including protocols, so that organisations can protect themselves;
• Publishing IoCs [initial operating capabilities] so that defenders can analyse their own network activity and block access to remaining servers.

Cisco claims that, working with Limestone, it was able to glean a range of information about how Angler works.

"Angler is actually constructed in a proxy/server configuration. There is a single exploit server that is responsible for serving the malicious activity through multiple proxy servers. The proxy server is the system that users communicate with, allowing the adversary to quickly pivot and change while still shielding the exploit server from identification and exposure.

"Additionally, there is a health monitoring server that is conducting health checks, gathering information about the hosts that are being served exploits, and remotely erase the log files once they have been fetched. This health server revealed the scope and scale of the campaign, and helped allow us to put a monetary value on the activity," it claims in its report.

Cisco also observed a single "health server" monitoring 147 proxy servers over the course of a month, generating more than $3m in revenue. "This single adversary was responsible for approximately half of the Angler activity we observed and is making more than $30m annually from ransomware infections alone."