Major Cyber-Crime Campaign Switches from CryptXXX to Locky Ransomware
There was a shift at the start of July in terms of ransomware distribution via exploit kits, with one of the biggest such sources switching from CryptXXX to Locky’s Zepto variant.
After the shutdown of the Nuclear exploit kit in May and Angler in June, ransomware distribution via exploit kits took a break as cyber-crime actors switched to the Nuclear exploit kit.
Coincidentally, at about the same time, the Necurs botnet, the biggest source of Locky ransomware spam, also took a three-week break. Then when it came back at the end of June, it returned with a new version of Locky, known as Zepto ransomware.
Afraidgate drops CryptXXX for Locky’s Zepto variant
Security researchers from Palo Alto Networks are reporting that Afraidgate, the biggest source of ransomware infections via exploits kits, was one of the cyber-crime campaigns that switched from Angler to Neutrino, shutting down activities while this happened.
When it came back, it continued to deliver the CryptXXX ransomware, but around June 29, it shyly started to push the Locky Zepto variant in small numbers, slowly growing, until it completely replaced CryptXXX by July 11.
Taking a look at the entire ecosystem, researchers say that, at the moment, the Neutrino exploit kit has managed to corner the market in ransomware distribution, also convincing the crooks behind the EITest and pseudo-Darkleech campaigns to jump on board.
Outside the closed group that delivers Cerber ransomware via the Magnitude exploit kit, the entire market that spreads ransomware via exploit kits seems to be completely dominated by Neutrino.
CryptXXX dominant position threatened by an expanding Locky
According to a recent Proofpoint report for Q2 2016, the older versions of Locky accounted for 69 percent of all the email spam while CryptXXX completely dominated the exploit kit distribution, being exclusively spread via this method of infection.
With the Afraidgate campaign dropping CryptXXX for Locky, statistics for Q3 are bound to be a little different.
Just like the EITest and pseudo-Darkleech campaigns, Afraidgate relies on crooks hacking websites and adding malicious code to the site to redirect traffic to their exploit kits.
Currently, Neutrino exploit kit domains are easy to spot because of the broad usage of .top domain extensions.