Cisco Ends Ransomware Campaign

Thursday, October 8, 2015 @ 04:10 PM gHale

A group of bad guys responsible for half of ransomware via the Angler exploit kit has met its match as Cisco researchers halted the operation.

The group conducted operations on such a large scale that by the end of the year they would have potentially earned over $34 million.

Ransomware Target: SMBs
URL Shorteners as Attack Vector
Age of New and Different
Breaking with Tradition: Secure ICS Hits Industry

Using servers from the infrastructure of Limestone Networks, a cloud service provider, the criminal group behind this operation managed to create the biggest ransomware delivery platform ever noticed in the wild.

These servers did not suffer a compromise, but were bought using stolen credit cards. Over 815 such servers ended up purchased, and after the credit card owners requested charge-backs, Limestone Networks eventually lost around $10,000 each month while the campaign went on.

Because of this, not only did Limestone shut down the servers when reported by Cisco’s Talos security team, but they’ve also opened up their logs so Cisco’s team could start investigating.

The attackers only used one single server from where to deliver the Angler exploit kit, the researchers said. This server ended up masked by a network of 147 proxy servers, installed on the compromised Limestone Networks infrastructure.

After its investigation, Cisco came to the conclusion the criminal group behind this operation could have ended up making between $30 and $60 million in annual revenues.

According to data gathered from the campaign, over 9,000 users per day ended up hit with the Angler exploit kit.