ARN

Cisco disrupts $60M ransomware biz

Finds Angler servers at a Dallas hosting provider during research
  • Jim Duffy (Network World)
  • 07 October, 2015 00:22

Cisco this week says it disabled a distributor of the Angler ransomware exploit kit, a program that holds victim machines hostage via encryption.

The catch disrupted a global ransomware operation that netted $60 million annually for the perpetrators, Cisco states in a blog post.

+MORE ON NETWORK WORLD: Jane Austen lets the boogie man in: Cisco report+

During research, Cisco's Talos security unit discovered that computers infected with the Angler Exploit Kit were connecting to servers at Limestone Networks, a Dallas hosting provider. Angler encrypts victim machines until the victims pay a sum – a ransom -- to have them decrypted.

Limestone worked with Talos to deliver previously unknown insight into Angler’s data flow, management, and scale. Cisco also collaborated with Level 3 Communications and OpenDNS, a company it is acquiring, to learn more about the activity and devise a defense.

According to the blog, Cisco shut down access for customers by updating products to stop redirects to the Angler proxy servers. The company also released Snort rules to detect and block checks from the health checks, and published protocols and other information so service providers and their customers can protect themselves.

“This is a significant blow to the emerging hacker economy where ransomware and the black market sale of stolen IP, credit card info and personally identifiable information are generating hundreds of millions of dollars annually,” Cisco stated in the blog post.