Angler Exploit Kit If was a respectable business, it probably would crumble under the investors’ money as its growth is impressive. This exploit kit has gained power in 2013, coming in particular take the place left vacant by the Blackhole exploit kit whose creators were arrested in October by the Russian authorities. Within a few months, the Angler Exploit Kit has become the new tenor of the environment: if year-end 2014, five different exploit kits shared the market, they were only 2 in May 2015 according to figures compiled by Sophos.
The evolution of the market shares of Angler Exploit Kit, traced by Sophos.
exploits kits, like the Angler, are generally used by cybercriminals to distribute malware or ransomware widely via infected web pages. The technique known as “drive by download” is used, redirecting the victim to an infected page to detect a security vulnerability on his machine and use it to infect.
As part of his research, including Cisco has focused on a group of cyber criminals employing the Angler Exploit Kit to disseminate ransomwares their targets. The collected data allowed Cisco to protect its customers a little better, blocking some of the URL, but they also stand the contours of these illegal activities.
Angler kit, a case that rolls
The majority of Cisco servers detected came from the host Limestone Networks, the cybersecurity company contacted to gather information. Cisco explains that 75% of the vulnerabilities exploited by Angler kit exploit vulnerabilities are Flash, followed by 24% exploiting another flaw known within Internet Explorer. A given which is reminiscent of the fast reaction of the Angler Exploit Kit Hacking Team following the case, the 0day that was quickly added by developers of malicious software. Cisco also states that in 60% of cases, these vulnerabilities were exploited to disseminate ransomwares on targeted machines.
The distribution of vulnerabilities exploited by the Angler Exploit Kit from data collected by Cisco
In Based on these figures, Cisco researchers within Talos tried to assess the return on investment of a single server running this type of scheme. They explain having observed a single server running Angler Exploit Kit was 9,000 victims a day and managed to infect about 40%. The average ransom demand being estimated at $ 300, Cisco researchers estimate that the members of this particular group of cybercriminals managed to raise a total of $ 30 million per year, given the size of their operations and the number of machines deployed. We take the figure with gloves: the admission of Cisco, remain unknown number of variables in the equation: the number of ransoms actually paid and the exact amounts are still unclear, and the total size of the used infrastructure by this group of attackers.
Obviously, the operation has also allowed Cisco to generate signatures and patches to better protect themselves from this kit feat. It remains active, and if the group identified by Cisco seems to have been one of the central players in the ecosystem Angler Kit, other groups also use this software.