Researchers at a Cisco security unit have successfully interrupted the spread of a massive international exploit kit which is commonly used in ransomware attacks, holding user data hostage and demanding payment for its release.
The Talos security team were monitoring the notorious malware, Angler Exploit Kit, which they report is one of the most effective tools for stealing personal information, with a 40% infiltration rate.
The scientists discovered that around 50% of computers infected with Angler were connecting with servers based at a Dallas facility, owned by provider Limestone Networks. The servers had been hired by cybercriminals using stolen payment details. Once informed, Limestone cut the servers from its network and handed over the data to the researchers.
In partnership with ISP Level 3 Communications’ Threat Research Labs, Cisco was able to recover the authentication protocols behind the Angler software and share that information with security companies to disable connection to infected devices.
Talos manager Craig Williams suggested that the research and consequent action will be “really damaging” to the attackers’ network, adding that since Limestone cut the criminal servers, the rate of Angler infections had significantly reduced.
Limestone maintains that it supported the spread of Angler unknowingly, and responded efficiently in aid of the Cisco investigation and the security of its users.
Sold online across black market platforms, exploit kits such as Angler are available to purchase as small packages which hunt out vulnerabilities in web applications and other popular software programmes. Once they gain control of a target computer, criminals can install malicious code, including ransomware attacks capable of stealing personal data and demanding payment for its return.
According to Talos, had 3% of Angler infected users paid a ransom of around $300 (approx. £200), those involved in the Limestone server crimes could have made a yearly profit of over to $34mn.