In the last few months, the exploit kit market experienced a major shake-up: the three major leading kits “died,” some in tragic circumstances (for their operators).

This is big news, as exploit kits were responsible for most of the web-based cyberattacks in the last few years.

Exploit Kits Origin Story

Exploit kits are malicious software platforms that allow novice and advanced hackers – exploit kit customers – to distribute malware easily by exploiting clients-side vulnerabilities. Usually these are vulnerabilities on browsers or browser plugins. The exploit kit only handles distribution and the execution of the malware, not the malicious operation itself.

Exploit kits support three core functions:

  1. Scanning the victim’s environment (e.g., browser, plugins) for relevant vulnerabilities
  2. Executing the appropriate exploit based on the scan result, enabling it to run arbitrary code on the victim’s machine
  3. Dropping the customer’s malware – called a “payload” – to the victim’s machine and executing it

Exploit kits were first witnessed in 2006 when WebAttacker was sold as a product in the Russian underground for $20; this low, low fee even included tech support.

Today, the leading exploit kits are run as a SaaS, rented to their customers for prices that can reach up to $10,000 per month per user. Considering the impact these kits can have, it’s no wonder unscrupulous customers are willing to pay up.

According to Trustwave’s 2016 Global Security Report, exploit kits were responsible for the majority of client-side exploits in 2015. This means that most of the malware campaigns that were distributed via the web were distributed by exploit kits.

The Battle 

In May 2015, Angler EK dominated exploit kits. According to exploit kit tracking, Angler alone was responsible for 82 percent of the malware cyberattack campaigns that were operating at the beginning of the year, up 60 percent less than a year.

The runner-up was Nuclear EK, which played an integral role in the infamous Locky ransomware, responsible for a distant 16 percent of cyberattacks in May 2015. Neutrino EK accounted for 20 percent of cyberattacks in January 2015 before slipping off the radar, only to make play for the crown in the summer of 2016 (see below).

These three exploit kits were responsible for endless damage, and made their authors multi-millionaires. Oh how the mighty have fallen.

As Shocking as GOT Season 1 Finale

In June 2016, 50 members of the organization that created and ran Angler EK known as the “Lurk” gang were arrested by Russian authorities.

In May, Check Point published revealing research reports on the structure of Nuclear EK. Nuclear’s operators, sensing the end was near, closed up shop almost immediately.

At the departure of its two giant rivals, Neutrino took the opportunity to price gouge, doubling its monthly fee from $3,500 to $7,000. However, by the beginning of October, it closed its business for unknown reasons. Some researchers hypothesize it’s not gone, but merely private, serving a single cybercrime ring in mega operations.

Successors

In the past, when the leaders of exploit kits were arrested or the operation went out of business, the result was:

  1. There was a temporary decrease in exploit activity and web-based cyberattacks
  2. A new or smaller player rose to dominance
  3. Back to business-as-usual

There is evidence that indicates that the same process is happening now. After Angler and Nuclear fell, exploit kit traffic fell by 96 percent in two months. With the mysterious exit of Neutrino, the smaller player “RIG” made a move to fill the void.

As for a return to business-as-usual? Only time will tell. But as long as there’s big bucks and bigger notoriety to be gained from the exploit kit market, the game-of-thrones style clamor for dominance will surely be the norm.