The modern online adversary is out to make money, not simply hack networks for the fun of it. In the Cisco 2015 Midyear Security Report, there’s yet more evidence that criminals are using tools with ever-increasing sophistication to steal valuable personal or financial data and sell it, coerce users into paying ransoms for their own data, and generally reap financial rewards for their exploits.

The Angler exploit kit continues to lead the market in terms of sophistication and effectiveness. As explained in the Cisco 2015 Midyear Security Report, Angler packs a significant punch because it uses Flash, Java, Internet Explorer, and Silverlight vulnerabilities to achieve its objectives. Angler is very effective, in part due to its ability to compromise users by using multiple vectors: Cisco found that 40 percent of users who encounter an Angler exploit kit on the web are compromised, compared to just 20 percent of users who encounter other widely used exploit kits.

Angler successfully fools users and evades detection with several innovative techniques. For example, as we discuss in the report, our researchers believe Angler’s authors use data science to create computer-generated landing pages that look normal enough to pass muster from heuristic scanners. In addition, Angler has recently started using “domain shadowing” to dodge detection—the exploit kit authors compromise a domain name registrant’s account, and then register thousands of subdomains under the legitimate domain of the compromised user. While domain shadowing isn’t new, we’ve monitored growing use of this technique since last 2014: according to our researchers, more than 75 percent of known subdomain activity by exploit kit authors since that time can be attributed to Angler.

When Angler drops encrypted payloads, such as the ransomware Bedep, they can usually only be identified retrospectively, and time to detection (TTD) can take days, as seen in the chart below from the Cisco 2015 Midyear Security Report:


However, the good news is that the median TTD for threat detection by Cisco has been declining. In December 2014, the median TTD—meaning when analysis revealed an unknown file to be a threat—was about two days (50 hours). The current industry standard for time to detection is 100 to 200 days—far too long a time frame, given the fast pace of innovation among today’s malware authors. From January to March 2015, the median TTD was between 44 and 46 hours; in April, it edged up slightly to 49 hours. By the end of May, TTD for Cisco had decreased to about 41 hours. The retrospectives chart below—from a case study of Angler—shows the number of files that Cisco initially categorized as “unknown” that were later converted to “known bad.”


Ransomware, which is delivered by Angler and other exploit kits, is also rapidly evolving to streamline the way online criminals to make money by using bitcoin which can directly be used to pay for services. Every dollar paid in ransom directly funds our adversaries. In fact, as we explain in the Cisco 2015 Midyear Security Report, some of the more successful ransomware operators appear to have professional development that help drive innovation and continually evolve the malware.

The ransoms demanded are usually affordable, generally a few hundred dollars depending on the bitcoin exchange rate. Criminals appear to have done their market research to determine the right price points for the best results: Fees are not so high that victims will refuse to pay or will tip of law enforcement. Ransomware authors keep their risk of detection low by using channels such as Tor and the Invisible Internet Project to communicate, and they use bitcoin so that financial transactions are difficult for law enforcement to trace.

Since exploit kit and ransomware creators endeavor to make their products as efficient and evasive as possible, security professionals must respond in kind, and maintain cutting edge visibility on adversaries. An integrated threat defense approach—which provides visibility, control, intelligence, and context across many solutions—is the best hope for detecting create and constantly changing news threats such as these.

To learn more, download the Cisco 2015 Midyear Security Report.


Craig Williams


Talos Outreach