From the article:
On Wednesday 2016-02-17 at approximately 18:14 UTC, I got a full chain of events.
The chain started with a compromised website that generated an admedia gate.
The gate led to Angler EK.
Finally, Angler EK delivered TeslaCrypt, and we saw some callback traffic from the malware.
· 18.104.22.168 - img.belayamorda.info - admedia gate
· 22.214.171.124 - ssd.summerspellman.com - Angler EK
· 126.96.36.199 - clothdiapersexpert.com - TeslaCrypt callback traffic
Full write up is here.
And from other sites: