Next-Generation Technologies & Secure Development

Angler Ransomware Campaign Disrupted

Cybercriminals Earned Millions Annually, Cisco Says
Angler Ransomware Campaign Disrupted

A cybercrime ring that employed the Angler Exploit Kit to earn an estimated $34 million per year from ransomware infections alone has been disrupted by security researchers at Cisco's Talos security intelligence and research group.

See Also: OnDemand | Adversary Analysis of Ransomware Trends

A related report from Cisco Talos says the attack campaign appeared to be one of two Angler-related attack campaigns that are currently in the wild, and comprised about half of all observed Angler-related activity.

Prior to the disruption, about 50 percent of the gang's Angler-attack activity traced to Dallas-based hosting provider Limestone Networks, and 25 percent to German hosting provider Hetzner, Cisco says. Talos security researchers shared details of the attack infrastructure with both organizations, and report that Limestone "responded and cooperated fully with this investigation," resulting in Cisco helping the company craft back-end blocks against the Angler gang's activities, as well as study the attack infrastructure, including capturing images of the Angler group's attack servers for analysis.

A spokesman for Hetzner says his firm has yet to be contacted by Cisco, although Cisco disputes that account.

Limestone Networks, meanwhile, says attackers were using stolen payment card data to purchase about 815 cloud-based servers per week, which they used as part of their attack infrastructure. While the hosting provider would quickly identify and shut down these servers, it says it was still losing about $10,000 per month in related costs and revenue - largely because of banks' chargebacks on the fraudulent payment card charges.

Since it began working with Cisco, however, the hosting provider says it that has been been able to block the Angler group's activities, thus stemming related losses. "We have built alerts specific to this malware into our network analytics," Ryan Al Ammary, the client relations manager at Limestone Networks, tells Information Security Media Group. "This provides us with instant notifications when fraudulent Angler accounts activate a new service. Instead of detection taking one to two days, as it had it in the past, it now takes only minutes. As a result, fraudulent Angler account are no longer able to effectively operate their malware distribution from our data center."

Angler has recently been linked with malvertising campaigns that were served via such sites as, plus dating sites and Plenty of Fish (see Suspends UK Ads After Malware Attacks). The developers behind Angler are well-known for including zero-day attacks in their crimeware toolkit, and were the first gang found to be using the zero-day code leaked by whoever hacked Italian spyware vendor Hacking Team (see Hacking Team Zero-Day Attack Hits Flash).

"Bravo," says Tom Kellermann, chief cybersecurity officer for Tokyo-based security firm Trend Micro, commenting on Cisco's disruption of this Angler campaign, which he notes has claimed victims from around the globe. "Angler was most active in targeting Japanese citizens, followed by the USA."

Payload Delivery System

Angler is a crimeware toolkit most often used to infect victims' systems with click-fraud malware and ransomware. "Angler is ... basically like a payload delivery system," says Craig Williams, senior technical leader and security outreach manager for Cisco's Talos security intelligence and research group. "Angler has a lot of drive-by download exploits, but the reality is, once they've exploited your system, they're designed to feed you any payload they want."

Cisco's Craig Williams details why Angler Exploit Kit attack campaigns are so difficult to disrupt.

The developers behind Angler have made the crimeware toolkit's attack payloads difficult to detect by encrypting the attack payload and varying the encryption slightly to generate many different-looking yet functionally identical pieces of malware. For the Angler campaign disrupted by Cisco, for example, Williams says that during the month of July Cisco researchers cataloged nearly 3,000 unique hashes - meaning, unique-looking attack payloads - associated with the campaign. But when researchers ran those hashes through malware-scanning service VirusTotal, only six percent of them were detected by any virus-scanning engines.

Ransomware, Click-Fraud Malware

Williams says the $34 million earned annually by the criminals behind this Angler campaign is only an estimate, based on what researcher observed happening on the Limestone Networks infrastructure, and notes that the Kerzner network was likely generating almost the same amount of money annually.

Via the attack infrastructure formerly hosted on Limestone Networks, researchers saw 90,000 endpoints visiting an Angler attack site per day, which then scans the system to see if it's potentially vulnerable. About one in 10 systems are then targeted, leading to about 40 percent of them being exploited. Williams says the 60 percent of systems that Angler fails to infect are likely running some combination of security tools - up-to-date antivirus, a firewall and so on. As a result, this Angler campaign was infecting about 3,600 systems daily.

Williams says that the U.S. Computer Emergency Response Team - using data supplied by Symantec - estimates that 2.9 percent of ransomware victims do pay a ransom. With the average ransom payment being $300, that works out to attackers netting about $95,000 per day. But Cisco has not estimated how much one the attackers might be earning via click-fraud malware - which this attack infrastructure delivered to 38 percent of all systems it had infected - since they have no way of measuring that, he says.

Proxy/Server Attack Infrastructure

The attack infrastructure unearthed by Cisco, which it analyzed with the help of communications provider Level 3 Communications, involved an elaborate system composed of exploit servers, proxy servers, status - or health - servers as well as a master server.

Here's how it worked: If an endpoint visited an infected site - or attack landing page - it communicated with one of 147 different proxy servers first to determine if it would attack the system. If so, the proxy server then served related exploit code from a dedicated exploit server. If the machine was successfully infected, the proxy server also relayed the infected node's details to a status server. All status server logs, meanwhile, were then rolled up and submitted to a master server based in the Netherlands.

The impetus for this elaborate approach is simple: it makes related attacks difficult to detect or disrupt - especially with attackers using so many different proxy servers, so that the infected endpoint never communicates directly with the exploit or status servers. Attackers have also distributed the proxy/server infrastructure across numerous countries, to make it more difficult to detect.

No Attribution

Despite unraveling part of this Angler's gang's attack infrastructure, Cisco says that it is unable to attribute the attacks back to a specific gang or even geographic region, owing to the master servers being run from the Netherlands. "To do any direct attribution here, you'd have to have hands on the servers, and unfortunately, due to the privacy laws in the Netherlands, that's up to law enforcement," Williams says. But he notes that part of the impetus for not just detailing the disruption of this attack infrastructure, but also releasing a highly detailed technical report - which stretches to more than 5,500 words, and includes links to indicators of compromise that organizations can use to block related attacks - is to help law enforcement agencies zero in on the perpetrators (see How Do We Catch Cybercrime Kingpins?).

Unfortunately, unless authorities arrest the developers behind an exploit kit or ransomware ringleaders - and sometimes in spite of such arrests - any related disruptions have historically proven to be temporary. "Regardless of the takedown, the [Angler] kit will never disappear from the darknet," Trend Micro's Kellerman says. "In fact, it will migrate to another bulletproof host - more than likely in Eastern Europe." Such bulletproof hosting environments - premium online hosting services predicated on the service administrators looking the other way when it comes to illegal activities - give criminals more ways to obfuscate cybercrime-related activities and disguise related command-and-control infrastructure (see Hacker Havens: The Rise of Bulletproof Hosting Environments).

Executive Editor Tracy Kitten also contributed to this story.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.