• United States



Managing Editor

Cisco disrupts $60M ransomware biz

Oct 07, 20152 mins
Cisco SystemsCybercrimeData and Information Security

Finds Angler servers at a Dallas hosting provider during research

hostage tied rope
Credit: Thinkstock

Cisco this week says it disabled a distributor of the Angler ransomware exploit kit, a program that holds victim machines hostage via encryption.

The catch disrupted a global ransomware operation that netted $60 million annually for the perpetrators, Cisco states in a blog post.

+MORE ON NETWORK WORLD: Jane Austen lets the boogie man in: Cisco report+

During research, Cisco’s Talos security unit discovered that computers infected with the Angler Exploit Kit were connecting to servers at Limestone Networks, a Dallas hosting provider. Angler encrypts victim machines until the victims pay a sum – a ransom — to have them decrypted.

Limestone worked with Talos to deliver previously unknown insight into Angler’s data flow, management, and scale. Cisco also collaborated with Level 3 Communications and OpenDNS, a company it is acquiring, to learn more about the activity and devise a defense.

According to the blog, Cisco shut down access for customers by updating products to stop redirects to the Angler proxy servers. The company also released Snort rules to detect and block checks from the health checks, and published protocols and other information so service providers and their customers can protect themselves.

“This is a significant blow to the emerging hacker economy where ransomware and the black market sale of stolen IP, credit card info and personally identifiable information are generating hundreds of millions of dollars annually,” Cisco stated in the blog post.

Managing Editor

Jim Duffy has been covering technology for over 28 years, 23 at Network World. He covers enterprise networking infrastructure, including routers and switches. He also writes The Cisco Connection blog and can be reached on Twitter @Jim_Duffy and at