Talos, part of networking giant Cisco’s “collective security intelligence” ecosystem, has blocked a Russian internet company which, it claims, is heavily involved in hosting ransomware.
According to a Talos analysis of the RIG exploit kit, which has been used to propagate ransomware, five of six blocks are operated by Russia’s Eurobyte – yet the Moscow-based internet service provider and web hosting company repeatedly failed to respond to communications from Talos, requesting that they deal with the user or users running the exploit kit.
Eurobyte, it added, was leasing the addresses from Webzilla, which operates out of the Netherlands.
“Talos reached out to both providers giving them the information regarding the hosts that we observed serving RIG. Webzilla responded and identified the customers that were generating the events and blocked the hosts successfully,” it claims in a blog posting detailing its investigation into the RIG exploit kit.
Indicating that Eurobyte is actively supporting the group running the ransomware, it responded by consistently providing new IP addresses for the group running the ransomware exploit kit.
“Monitoring the amount of RIG activity after our notification, we have consistently seen new servers that are being hosted by Eurobyte being stood up and compromising users via RIG. We again reached out to Eurobyte to try and get a response directly from the provider where the malicious activity is being hosted. Despite multiple emails to Eurobyte RIG activity continued as new addresses get stood up after being reported to WebZilla,” continues Talos.
It continues: “This underscores one of the major problems we face today, leaf providers. As providers could have multiple downstream leaf providers we find that we routinely have success in dealing with larger providers.
“These providers help get systems shut down, but without the cooperation of the smaller downstream providers the adversaries just stand up new servers and move on. We were able to inflict some damage to RIG during our investigation, but were unable to actually get the actors behind the activity stopped.”
Talos and partner OpenDNS responded by adding the offending subnets to their blacklists for 30 days. “After this time Talos and OpenDNS will re-evaluate the provider to determine if an extended blacklisting should occur. This activity will add all the IP’s in the address spaces to Cisco’s IP and Domain intelligence blacklists,” Talos warned.
Subscribers to the blacklists will therefore effectively be protected, with the hope that the Russian internet company will respond by cleaning up its network.
Ransomware has become an increasingly popular means for criminal gangs to extort money from PC users. After infecting someone’s machine with malware, the user’s files are encrypted and the decryption key is only released on payment of a ransom payable via bitcoin.
In this particular investigation, Talos claims that the attackers were exploiting a particular security flaw in Adobe Flash, CVE-2015-5119, to compromise users’ PCs. “We saw a total of 30 unique hashes being used to compromise systems during the two month period. 70% of those hashes were known by VirusTotal and had some protection from an AV perspective. Despite that users were still being compromised and malicious payloads were being delivered,” it warned.