A malware campaign using the Angler Exploit Kit that generated $60 million per year through ransomware was shut down due to the work of a Cisco research team.
Cisco reported that it came across the activity when it recognized that an unusually large number of proxy servers used by Angler were associated with the internet service provider Limestone Networks. Here a single threat actor was targeting 90,000 victims per day and was solely responsible for up to 50 percent of all the Angler Exploit Activity taking place worldwide resulting in $30 million in ransomware payments annually.
“We saw a total of 147 servers in a month being monitored by this actor giving us a total of $2.85 Million ($19410 X 147 Servers) for all servers for that month. Then if you multiple that by 12 months you get ~$34 Million we decided to round down to $30 million,” Nick Biasini, threat researcher for Cisco Talos told SCMagazine.com in a Wednesday email.
Cisco described how the hackers implanted and managed Angler inside Limsestone's servers. The team found a single exploit server responsible for serving malicious activity through multiple proxy servers. Then there was a health monitoring server that gathered information on the hosts being served exploits and it took care of covering the hacker's digital tracks by remotely erasing log files.
This health server revealed the scope and scale of the campaign, and helped allow us to put a monetary value on the activity.
Biasini estimated that about 2.9 percent of victims pay the ransom based on information from US-CERT, but he added nailing down a hard number is difficult.
One way to foil the bad guys is to simply back up your system with a relatively inexpensive external hard drive, Biasini said.
“One thing to keep in mind is to make sure you don't leave the backup drive attached or the ransomware will encrypt that data as well,” he said.