In late 2013, the then-infamous Blackhole Exploit Kit (BHEK) disappeared after the arrest of “Paunch,” its author earlier in October 2013.
In March of 2015 we published our report “The Evolution of Exploit Kits” and noted how in 2013 a new exploit kit, Angler, quietly emerged onto the scene and by the end of 2014 had risen to become the number two exploit kit after the Sweet Orange Exploit Kit. We first noted Angler in December 2014.
In our Q2 2015 Quarterly Threat Report, “A Rising Tide: New Hacks Threaten Public Technologies,” we noted that Angler had surpassed the Sweet Orange and Nuclear exploit kits to become the number one exploit kit.
And then, writing about our 3Q2015 Quarterly Threat Report, “Hazards Ahead: Current Vulnerabilities Prelude Impending Attacks,” I said that Angler had risen to the top of the exploit kit heap by maintaining its number one position for two quarters.
Since then, we have seen Angler solidly at the number one position for exploit kits.
Until now.
In our 2016 Midyear Security Roundup:” The Reign of Ransomware” our research shows that Angler’s reign as the top exploit kit came to a sudden end.
All seemed to be going well for Angler. As recently as March 2016, Angler was going strong. It had ended 2015 so strong that we called it the “King of Exploit Kits” in our 2015 Annual Security Roundup “Setting the Stage: Landscape Shifts Dictate Future Threat Response Strategies.” In our March 2016 review of exploit kits, we noted how Angler was then showing almost 60% of the exploit kit detections.
At that time, there was no reason to think that things would change. But if you look at our 2016 Midyear Security Roundup you’ll see that by June, Angler had nearly disappeared.
What happened?
Arrests. Arrests are what happened.
In June we noted how the arrest of 50 people in Russia and the United Kingdom for using malware to steal US$25 million, Angler effectively died.
If you look at our exploit kit activity on page 9 of our 2016 Midyear Security Roundup, you can see that even by March, when we were last writing about Angler, there was the beginning of a drop in activity (though it was still clearly number one). But after March there’s an unmistakable drop in Angler until it approaches zero by the end of June with a mere 90K accesses (compared with 1.2 million in January).
All indications are that Angler is gone for good. Its likely authors have been apprehended and other exploit kits are starting to jockey for position: Neutrino and Rig exploit kits are both moving to fill the vacuum.
While it would be better to report that with Angler out of the picture the exploit kit problem is going away, there’s still no doubt that that the fall of Angler means, for now at least, that exploit kit activity is less than it had been. Law enforcement activity isn’t a silver bullet but is a critical part of the overall program of keeping people safe.
The Angler story is an interesting one, though, because it lets us track the full lifecycle of a very successful piece of malware.
Angler Exploit Kit: 2013 – 2016
Number One Exploit Kit: May 2015 – June 2016
Goodbye and Good Riddance