Cisco Takes Down £40m Ransomware Gang

A highly profitable ransomware operation has been successfully closed down by networking giant Cisco.

The criminal gang were using the notorious Angler Exploit Kit to generate an estimated $60 million (£39m) annually by delivering ransomware to unsuspecting people browsing the Internet.

“Today, Cisco struck a blow to a group of hackers, disrupting a significant international revenue stream generated by the notorious Angler Exploit Kit,” boasted the company.

Cisco Takedown

Angler has been linked to a number of high-profile malvertising/ransomware campaigns, used mostly recently in attacks on the users of Forbes.com and Match.com for example. Angler is said to be one of the largest exploit kit found on the market, and is designed to “bypass security devices and ultimately attack the largest number of devices possible.”

But Cisco Systems’ Talos security unit was on its case, and it discovered that “inordinate number of proxy servers used by Angler were located on servers of service provider Limestone Networks.” The main “threat actor” was reportedly responsible for up to 50 percent of Angler exploit kit activity and targeted up to 90,000 victims a day.

Ransomware of course is a particularly nasty piece of malware. Once a PC or smartphone is infected, the unfortunate victim is contacted by the blackmailer or hacker responsible. The criminals will often demand money in order to unlock the victim’s device. Some ransomware variants also encrypt their victims’ data.

Talos worked in conjunction with Level 3 Threat Research Labs and OpenDNS, before it launched its takedown. Cisco apparently “shut down access for customers by updating products to stop redirects to the Angler proxy servers.”

The firm said that it also “released Snort rules to detect and block checks from the health checks; published communications mechanisms including protocols so others can protect themselves and customers,” and it also “published IoCs so that defenders can analyse their own network activity and block access to remaining servers.”

“This is a significant blow to the emerging hacker economy where ransomware and the black market sale of stolen IP, credit card info and personally identifiable information (PII) are generating hundreds of millions of dollars annually,” said Cisco.

Ongoing Battle

Ransomware has been around for years now. Last month, McAfee Labs warned businesses to be on the lookout for ever more increasingly technical attacks. It discovered a 58 percent rise in ransomware emails, as hackers look to capitalise on social engineering to try and con people out of their money.

In June an ESET study found that over a third of UK companies had either personally been held to ransom by hackers, or know someone that has had their networks infected by ransomware.

Perhaps on the most notorious pieces of ransomware was the Cryptolocker malware. It caused big problems in 2013, as it spread via emails claiming to be from a bank or other financial institution.

Those emails usually included an executable file disguised as an archived document, which contains the malicious code. It would encrypt the user’s storage devices, and victims had 72 hours to pay a ‘ransom’ payable in Bitcoin.

It infected least 200,000 computers and netted the criminals behind the scheme a minimum of $380,000 (£240,000) – but more likely millions of pounds.

Are you a security pro? Try our quiz!