SAN FRANCISCO (Reuters) - Cisco Systems Inc said it had managed to disrupt the spread of one of the most pernicious systems for infecting Internet users with malicious software such as so-called ransomware, which demands payment for decrypting users’ data.

The Cisco Systems logo is seen as part of a display at the Microsoft Ignite technology conference in Chicago, Illinois, May 4, 2015. REUTERS/Jim Young

The investigators from Cisco’s Talos security unit were looking at the Angler Exploit Kit, which analysts at several companies say has been the most effective of several kits at capturing control of personal computers in the past year, infecting up to 40 percent of those it targeted.

They found that about half of computers infected with Angler were connecting to servers at a hosting provider in Dallas, which had been hired by criminals with stolen credit cards. The provider, Limestone Networks, pulled the plug on the servers and turned over data that helped show how Angler worked.

The research effort, aided by carrier Level 3 Communications, allowed Cisco to copy the authentication protocols the Angler criminals use to interact with their prey. Knowing these protocols will allow security companies to cut off infected computers.

“It’s going to be really damaging to the attacker’s network,” Talos manager Craig Williams told Reuters ahead of the release of the report.

Cisco said that since Limestone pulled the plug on the servers, new Angler infections had fallen off dramatically.

Limestone’s client relations manager told Reuters his company had unwittingly helped the spread of Angler before the Cisco investigation.

Often sold in clandestine Internet forums or in one-to-one deals, exploit kits combine many small programs that take advantage of flaws in Web browsers and other common pieces of software. Buyers of those kits must also arrange a way to reach their targets, typically by sending spoof emails, hacking into websites or distributing malicious advertisements.

Once they win control of a target’s computer, exploit kit buyers can install whatever they want, including so-called ransomware. This includes a number of branded programs, also sold online, that encrypt users’ computer files and demand payment to release them.

Talos estimated that if three percent of infected users paid the ransom averaging $300, the criminals that had used the Limestone servers to spread Angler could have made about $30 million a year.

(The story was refiled to correct the spelling in paragraphs 5 and 10 to Talos instead of Telos)