Cisco Researchers Dismantle Key Distributor of Ransomware

Claims it has struck major blow to Angler Exploit Kit

Data Center Knowledge

October 14, 2015

2 Min Read
Cisco Tetration
A bicyclist rides by a sign that is posted in front of the Cisco Systems headquarters in San Jose, California. (Photo by Justin Sullivan/Getty Images)



This post originally appeared at The Var Guy

By Elizabeth Montalbano

Cisco Systems has done its part to help rid the world of ransomware by striking a major blow to one of the largest exploit kits on the market for this type of security threat.

The company’s Talos Security Intelligence and Research Group has disrupted a significant international revenue stream generated by the Angler Exploit Kit, which rakes in as much as $60 million a year, the company reported recently on its blog.

“This is a significant blow to the emerging hacker economy where ransomware and the black market sale of stolen IP, credit card info and personally identifiable information are generating hundreds of millions of dollars annually,” Cisco threat researcher Nick Biasini said in the blog post.

Angler is one of the largest exploit kits available on the market for creating and spreading malvertising or ransomware campaigns, the company said. These types of malware prevent or limit users from accessing their system or getting back data that was taken until they pay a ransom through an online payment method.

Angler is so dangerous because it’s designed to bypass security devices and attack the largest number of devices possible, making it the most advanced and concerning exploit kit on the market for ransomware, according to Cisco.

Talos was able to take action against the kit by first determining that a very large number of proxy servers used by Angler were located on servers of service provider Limestone Networks, Biasini said in the post. The primary threat actor in the scenario was responsible for up to 50 percent of Angler Exploit Kit activity, targeting up to 90,000 victims a day and generating more than $30 million annually.

Key partners also helped Talos garner more intelligence about Angler activity on Limestone’s servers. Working with Level 3 Threat Research Labs, Talos also gained additional visibility into the global activity of the network, while a collaboration with OpenDNS provided a view into the domain activity associated with the adversaries, according to the post.

Once it identified the malicious activity, Cisco took action against Angler through a number of steps. The company shut down access for customers by updating products to stop redirects to the Angler proxy servers, Biasini said. It also released Snort rules to detect and block checks from the health checks, rules that are being released to the community, he said.

Other steps Cisco Talos took to thwart Angler activity included publishing communications mechanisms including protocols so others can protect themselves and their customers. The company also is publishing indicators of compromise (IoCs) so that defenders can analyze their own network activity and block access to remaining servers used by Angler, according to Biasini’s post.

This first ran at

Subscribe to the Data Center Knowledge Newsletter
Get analysis and expert insight on the latest in data center business and technology delivered to your inbox daily.

You May Also Like