Security researchers have dismantled a massive cyber-criminal operation they estimate has raked in more than $30 million per year by pushing ransomware to unsuspecting victims online.
The takedown was performed by investigators working for Cisco Systems’ Talos security unit, which was researching the Angler Exploit kit during the time. Angler exploit kits are sold on the underground crime-forums for those who don’t wish to develop and test their own exploit kits themselves. Angler is one of the most dangerous exploit kits on the market, with a successful infection rate of 40 percent, by targeting end users old browser plugins ridden with vulnerabilities. In most cases, the security flaws Angler tries to abuse have been patched, but often the kit exploits zero-day vulnerabilities which are yet to be patched.
Talos researchers quickly identified that a majority of infections were connecting to servers operated by the Internet Service Provider (ISP) Limestone Networks. After working with Limestone and examining affected servers responsible for the operation, they identified that the single operation they were researching targeted as many as 90,000 victims per day. Researchers estimated that even with a measly three percent of infected victims paying the average $300 ransomware fine, the operation had the ability to generate more than $30 million in 12 months. Their estimate is consistent with log files retrieved from one of the servers Talos researchers analyzed. It showed the lone server generated more than $3 million.
“This is a significant blow to the emerging hacker economy where ransomware and the black market sale of stolen IP, credit card info and personally identifiable information (PII) are generating hundreds of millions of dollars annually,” Talos researchers wrote in a report published Tuesday on the takedown.
Ransomware came into the limelight in 2013 with the rise of malicious infections by a piece of malware known as CryptoLocker. The software would infect users by posing as other software or through exploit kits such as Angler. Once the malware was installed, it would silently begin to encrypt all files stored on the hard drive or network devices then demand anywhere from $300-$500 in bitcoin for the decryption key. After nearly two years, huge companies including police departments, government agencies, and small to medium-sized businesses are still falling victim to the ransomware campaigns.
Talos estimates that the once-live operation was responsible for nearly half of the Angler activity their researchers had investigated. Researchers also identified Angler to begin to distribute non-ransomware payloads as well, including one known as the Bedep downloader, which is malware that continues to deliver additional payloads. Talos also identified the malware to be used in click fraud schemes and continuous instances of keyloggers.
“It’s one of the most innovative exploit kits available today, but it doesn’t have a large footprint from an infrastructure perspective,” Talos wrote in their report describing Angler. “Despite not having a large footprint, Angler is able to compromise a significant amount of users, for a presumably small amount of customers.”