Operators behind Angler Exploit Kit included CryptoWall 4.0

The latest variant of CryptoWall 4.0, one of the most popular and dangerous ransomware threats, has been recently added to the infamous Angler Exploit Kit.

In my 2016 Cyber Security Predictions, I have predicted the criminal practices of the extortion will reach levels never seen before. Cyber criminals will threaten victims with ransomware and DDoS attack in an attempt to extort money to stop the attacks or to allow victims to rescue the locked files. Ransomware will be used to target IoT devices like SmartTV, wearables and medical devices.

The latest variant of CryptoWall 4.0, one of the most popular and dangerous ransomware threats, has been recently added to the infamous Angler Exploit Kit (EK), the researchers at Bitdefender made the interesting discovery.

“After exploit kit usage had gone up by 75% in 2015, it was only a matter of time before the notorious Angler Exploit Kit showed signs of activity and indeed, it was seen adding a new tool to its malware portfolio.CryptoWall 4.0, first uncovered and analyzed by Bitdefender researchers in November 2015, is the latest threat to be added to the malicious arsenal.” states BitDefender.

The Angler EK was  spotted for the first time back in 2013, the number of victims rapidly increased reaching a peak in 2014.

The CryptoWall 4.0 first appeared in the wild in October 2015, this variant pretends to be testing AV solutions and according to the experts, it includes a new and advanced malware dropper mechanism alongside improved communication capabilities.

The experts at Bitdefender confirmed that operators behind the Nuclear EK added the CryptoWall 4.0  to their crimeware kit.

According to a recent blog post from Bitdefender , CyptoWall 4.0 is now being delivered by the Angler EK as well, one of the most used exploits kits out there.

In October 2015, experts at Cisco Talos Group has performed in-depth research on the threat actors behind the Angler Exploit Kit, and even had behind-the-scenes access.

Talos gained an inside view of one of the health monitoring servers utilized by an Angler Exploit Kit instance active throughout the month of July 2015. This single server was seen monitoring 147 proxy servers, allegedly generating approximately $3 million in revenue over the span of that single month of July.
Additionally, Talos has determined that this single Angler instance is (or was) responsible for half of all Angler activity that they observed and is likely generating more than $30 million annually. Furthermore, this revenue was generated by the distribution of Ransomware.

In November, security experts noticed another Exploit Kit, the Nuclear exploit kit,  has been used to serve the ransomware CryptoWall 4.0.

The inclusion of the CryptoWall 4.0 to the Angler EK demonstrates the capability of cybercriminals to follow the evolution of threats and the efficiency of their operations.

Pierluigi Paganini

(Security Affairs – CryptoWall 4.0, Angler EK)