Right after noticing the Necurs botnet, which used to send out malicious email blasts delivering Locky and Dridex, the of security experts registered another drop in Angler exploit kits and other malware campaigns.
However, last week, the researchers from two security teams observed that campaigns were already using Neutrino EK to distribute CryptXXX ransomware, which had previously only been observed dropping via Angler EK.
According to a Proofpoint expert, the Angler EK activity ceased after June 7, which the company has since corroborated.
“Shifting from one exploit kit to another is nothing new and threat actors may even use more than one regularly,” the Proofpoint experts stated.
However, despite the reduction in activity, the Proofpoint researchers expect the lull to eventually give way to an increase in ransomware.
“As long as there is money to be made, threat actors will continue to innovate,” the experts concluded.