Cisco disrupts major ransomware campaign that brought in $30M annually
“Cisco researchers, with the help of Level 3 Threat Research Labs and OpenDNS, have managed to strike a considerable blow against ransomware peddlers that used the Angler exploit kit to deliver the malware to unfortunate victims.
According to OpenDNS’ Stephen Lynch, Cisco’s Talos Research Group managed to “disrupt the operations of a threat actor responsible for up to 50 percent of the malicious softwares activity from a ransomware campaign that generated more than $30M USD annually.”
How did they do that? Well, they noticed that a huge number of proxy servers used by Angler were located on servers of service provider Limestone Networks. They worked with that service provider to get live disk images of the Angler servers, which allowed the unprecedented insight on how the ransomware campaign were executed, the infrastructure the threat actor used, the changes made to the exploit kit and, most importantly, the techniques they employed to keep the exploit and command and control infrastructure hidden in order to prevent takedowns.
“Angler is actually constructed in a proxy/server configuration. There is a single exploit server that is responsible for serving the malicious activity through multiple proxy servers,” the researchers explained. “The proxy server is the system that users communicate with, allowing the adversary to quickly pivot and change while still shielding the exploit server from identification and exposure. Additionally, there is a health monitoring server that is conducting health checks, gathering information about the hosts that are being served exploits, and remotely erase the log files once they have been fetched. This health server revealed the scope and scale of the campaign, and helped allow us to put a monetary value on the activity.”
Cisco has released Snort rules to detect and block checks from the health monitoring servers, has published details about the communications mechanisms used by the severs and indicators of compromise (IP addresses, subdomains, hashes) that should help defenders discover infections on their own networks.
They have also been in touch with hosting providers, urging them to shut down malicious servers.
More details about the trends in hosting, domain usage, referers, exploits, and payloads used by the threat actor have been detailed in this report.”