In the past two days, I’ve infected two hosts from Angler exploit kit (EK) domains at 216.245.213.0/24.  Both hosts were infected with CryptoWall 3.0 ransomware using the same bitcoin address for the ransom payment:

https://isc.sans.edu/forums/diary/Angler+exploit+kit+pushing+CryptoWall+30/19737/