At the start of July the ransomware distribution via exploit kits had a major turnover as one of the biggest distributors using this method switched from dropping the CryptXXX ransomware to Locky`s Zepto version.
After both the Nuclear and Angler exploit kits close down a couple of months ago, it took cybercriminals some time to adjust to the well-known Neutrino exploit kit. Anyway, the Nuclear and the Angler exploit kits were not the only ones to take a break as, almost at the same time, the main Locky distributor, Necurs botnet, also took a three-week timeout. It did eventually come back but with a new Locky variant – the Zepto ransomware.
According to Palo Alto Networks` security experts, the Afraidgate, the biggest cyber-crime campaign which uses exploit kits for ransomware propagation, has also adopt the Neutrino exploit kit for its purposes.
During the time of the switch the Afraidgate also had to shut down and when it returned it continued dropping the CryptXXX ransomware. However, around 29th June, researchers noticed that it furtively started to drop the Zepto version alongside the CryptXXX. At first it started delivering small number of Zepto but they were constantly rising until CryptXXX was completely replaced.
At the moment, experts claim that Neutrino exploit kit has, without a doubt, a dominant position in terms of ransomware distribution via this kind of method. It turns out that only the Cerber ransomware is using a different exploit kid for its spreading – the Magnitude EK. Other than that, the Neutrino EK has completely taken over, convincing the crooks behind the pseudo-Darkleech and EITest campaigns to join it as well.
Just like Afraidgate, the EITest and pseudo-Darkleech campaigns rely on crooks hacking websites and adding malicious code to them to redirect traffic to their exploit kits.
As the Proofpoint`s report for the second quarter of 2016 reveals, the CryptXXX ransomware remained the favorite malware spread via exploit kits even though the previous Locky variants accounted for 69% of all spam malware.
However, now with Afraidgate and a lot of other campaigns replacing the CryptXXX with Locky`s Zepto version, the CryptXXX may not be able to safe its dominant position during Q3.
Fortunately, at least for now, the Neutrino exploit kit`s domains are easily spotted because of the massive usage of “.top” extensions.
