Multi Million Dollar Angler Ransomware Shut Down by CISCO

Cisco has shut down an Angler Ransomware Exploit distributor who was making estimated $30 million per year using a viral campaign. The exploit was encrypting user’s data until a ransom was paid.The disruption of this network was conducted by security researchers of Cisco’s Talos security division and we’ve got the story below.

What Is Angler?

Most exploits are sold in underground forums by cyber criminals to the people who don’t know or don’t want to write exploits or other malicious software themselves. This way any person can get their hands on a powerful weapon if an appropriate amount is paid, and Angler is definitely not an exception.

Angler is the most viral exploit kit with the success rate of 40% targeting weaknesses located in browsers and browser plugins. Angler is crafted to bypass the most security systems providing a very large scale of attacks. The kit searches for both known and zero-day vulnerabilities and exploits them with ease.


During the investigation, cyber security researchers from Talos discovered that more than half of computer devices were infected with Angler Exploit Kit, which was connected to the hosting provider from Dallas, Limestone Networks. According to Talos “[Limestone Networks] was a threat actor responsible for up to 50 percent of Angler Exploit Kit activity, targeting up to 90,000 victims a day, and generating more than $30M annually”.

Talos researchers needed to “improve their vision” in order to take a closer look at a global activity and thanks to cooperation with Level 3 Threat Research Labs and OpenDNS this mission was quickly accomplished.

Upon this discovery of illicit activity and an email from Talos, provider immediately shut down its own servers and handed data, which was analysed by security researchers for a better understanding of massive campaign.

The first step was to check the telemetry data, which gave out very interesting bits of information. According to Talos, July of 2015 was the most active part in Angler development because it experienced some major changes in URL structure and also in the ways Adobe Flash vulnerabilities were used.

As many advanced exploit kits Angler was built in a proxy/server configuration, were a single server was initiating malicious activities using many small proxy servers. The proxy server allowed cyber criminals to distribute malware in a quicker manner without exposing its existence. Angler was also using a server that was providing health monitoring and gathering information about infected computers, exploit servers and in additional was capable of remotely erasing log files. Thanks to the health monitoring server a scale of the ransomware campaign was revealed.

The final discovery was astonishing. According to Talos, a single “health server” was in charge of 147 proxies generated about $3 million in monthly revenues. Since the Limestone Networks was responsible for about half of those malicious activities, this company was making about $30 million annually, with a ransomware campaign.

Cyber criminals are switching from stealth to wealth. The new trend shows us that they are more actively “bribing” major companies and are cooperating with them. Why? Because the distribution is much easier with a provider who is trusted by thousands of users, if not more.

Angler Exploit Kit is another reminder for users to always update their software and OS.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.