Ransomware infects computers and forces users to pay a ransom to get access to their locked files. Cisco said the international exploit kit was generating $60 million annually, which totals 90,000 targeted victims a day. The Talos team cut that $60 million in half with a little detective work, said Jason Brvenik, principal engineer of Cisco’s security business group, speaking Tuesday at the company’s Global Editors Conference.
Cisco’s team noticed that a large number of proxy servers being used by Angler were located on Limestone Networks’ servers. Talos gained additional visibility into the ransomware activities by working with Level 3 Threat Research Labs and with OpenDNS.
To respond, Cisco updated products to stop the redirects to Angler’s proxy servers and released new rules for the Snort intrusion detection platform. Cisco is also publishing indicators of compromise (IoCs) so that defenders can block access to the remaining servers and analyze their own network activity.
Because Angler has been involved in some high-profile malvertising/ransomware campaigns, Talos decided to take a closer look at its telemetry data collected during the month of July. The team found Angler went through several iterations of development, including URL structure changes and implementation of several unpatched Adobe Flash vulnerabilities.
Brvenik said Angler was able to spin up new campaigns every six to eight months. It uses “tons of automation” to spin up an attack and then disappears afterward.
“They’re going to corporate office parks and having parties,” Brvenik joked. “They’re professionals. They’re just in a different profession.”