Cisco researchers stop ransomware operation generating $30 million revenue for hackers
Researchers from cyber security firm Cisco have found out that a group of hackers are making an estimated $30 million a year from their criminal operation online. According to the researchers, they discovered a large ransomware campaign connected to the Angler Exploit Kit, which is one of the most effective exploit kits available for hacking into computers in the underground market.
The tool is sold to cybercrime gangs, which take advantage from Angler’s exploits mostly for browsers and browser plugins. It’s targeted at anyone with crimeware, such as ransomware or banking credential stealers, who do not have the time or skill to develop and maintain their own database of software exploits.
Researchers noticed that the large percentage of infected users were connecting to servers belonging to hosting provider Limestone Networks. After digging out more, they estimated that a single hacker or a group of hackers is targeting up to 90,000 end users a day.
Based on a 13 hour window into single server, the conclusions drawn by Cisco by observing 90,000 unique IP addresses per day that were being served at least one of the Angler EK’s attack pages which belonged to hosting provider Limestone Networks. It’s observations also appear to be of a customer that used Angler rather than the operators of the EK itself.
“By analyzing the behavior of just one node delivering Angler as well as a server monitoring these systems, Talos can reliably say that one threat actor was responsible for up to half of the Angler activity that we’ve observed globally. This malicious network generates approximately more than $30 million annually,” Cisco said.
Cisco teamed up with Level 3 Threat Research Labs, OpenDNS and hosting firm Limestone Networks for its investigation.
Limestone Networks provided access to servers used by Angler, revealing how the group manages to distance itself from actual infections of end user devices.
“Cisco determined that an inordinate number of proxy servers used by Angler were located on servers of service provider Limestone Networks with the primary threat actor responsible for up to 50 percent of Angler Exploit Kit activity,” Cisco noted.
After investigating the operation, according to the estimates made by Cisco researchers, state that life of an Angler exploit server is one day and that around 3600 users are compromised by ransomware every day. Further, they found that 3% of targets paid the average ransom demand of $300 to the hackers. As a result, this particular hacker or a group of hackers is generating more than $34 Million of annual revenue estimated the Cisco researchers.
Please note that the figure estimated by Cisco researchers following the log files is retrieved from just one server. The actual number may be even larger than $30 Million annually.
Researchers from Cisco Systems’ Talos Security unit noted that “using simple math [one] can easily determine that this [particular] adversary is making potentially $3 Million a month,” but “It is difficult to be 100% accurate with these numbers.”
The affected hosting provider Limestone Networks have since shut down the malicious servers after Cisco researchers contacted them.
First identified in late 2013, Angler Exploit kit has gone on to become one of the most popular exploit kits in the market. It basically has a number of hacking tools that take advantage of vulnerabilities in Java, Flash, and other browser plugins to break into victims systems.
The cyber criminals are now making use of ransomware in their kit that produces more money per attack.
“This is a significant blow to the emerging hacker economy,” researchers said, “where ransomware and the black market sale of stolen IP, credit card info and personally identifiable information (PII) are generating hundreds of millions of dollars annually.”
Points to know to protect against ransomware
You can protect your computer against ransomware and other malware threats by keeping the following points in mind:
* Ensure that all the software on your computer is up to date.
* Ensure that automatic updating is turned on to get all the latest security updates.
* Make use of secure connections for sensitive transactions.
* Use virtual keyboard for internet banking.
* Use strong alphanumeric and symbol passwords.
* Do not open any attachment unless you know the sender and the reason they are sending it.
