Angler, which became the top kit after the demise of the Blackhole toolkit back in 2013, frequently used Bedep as its first payload after a successful infection. A dropper file, Bedep downloaded other types of malware on the compromised machine. The sudden drop off in Angler's activity was bigger than expected and significant, Cisco Talos said.
While this isn't Angler's first hiccup, it appears to be the most significant. The exploit kit fell off the radar a couple weeks at the beginning of 2016 for unspecified reasons. The difference between previous blips and the current disruption is that users have been migrating away from Angler to other exploit kits, such as Neutrino and Rig.
It also appears that prices for Rig and Neutrino have gone up recently, suggesting a major player has shut down.
"Angler was, by a large margin, the most prolific, successful, and sophisticated compromise platform related to crimeware," Biasini said, noting that Angler customers were making approximately $60 million annually from ransomware infections alone.
Angler may not be the only casualty. The Necurs botnet, which distributed the Locky ransomware and Dridex banking malware and was "widely considered the largest botnet in the world," also had a handful of domains in its command-and-control infrastructure using the same yahoo.co.uk email address.
The Necurs botnet went offline for about three weeks, about the same time Lurk shut down and Angler's activity dropped. Locky's distribution decreased to the extent that it looked as if the ransomware had been shut down, suggesting that it relied heavily on the botnet.
"If this one group was running all of these activities, this will likely go down as one of the most significant arrests in the history of cybercrime with a criminal organization that was easily earning hundreds of millions of dollars," Biasini wrote.
The disruption for Necurs was only temporary, as it has resumed operations, suggesting the criminals are making too much money to let police action keep them from their activities.When the author of Blackhole exploit kit was arrested, Angler became the top kit due to its highly sophisticated arsenal of exploits. With Angler out, lesser-known kits will try to fill the void, or a brand-new exploit kit with even more advanced capabilities will appear.
Anyone in the original gang who managed to evade arrest could be regrouping, or some other actor may have enough access to seize control and resume operations. Whoever's in control will have learned from the mistakes of their predecessors, making it harder to catch the next round of attackers.
Sign up for CIO Asia eNewsletters.