A sudden drop in cybercrime activity related to major threat families Locky, Dridex, and Angler have Symantec cybersecurity experts taking note, but still keeping a vigilant eye on the associated malware gangs. One reason for the decrease may be the arrest of 50 people in Russia thought to be involved in the group behind the Lurk banking fraud.
Locky Dropoff
One of the most prevalent ransomware threats in 2016, Locky has shown a significant drop in activity during the month of June. Blocked Locky infections per week went from more than 3,000 in May to the low hundreds this month. That means that new Locky cases, either from spam campaigns or exploit kits, have dramatically fallen.
Figure 1. Blocked Locky infections by week, showing drop in activity over past two weeks
Dridex Slowdown
Financial fraud Trojan Dridex has also almost disappeared — but not quite. The Dridex botnet’s subnets continue to operate, and Symantec has noted that Word macro downloaders are still delivering Dridex through spam campaigns.
Figure 2. Blocked Dridex infections by week, showing low activity in recent weeks
Angler Inactivity
The Angler exploit kit has dropped off the radar, with no reported payloads being delivered since the start of May. This isn’t the first time Symantec Security Response has seen Angler go dark, so it remains uncertain whether this well-known exploit kit has gone extinct.
Figure 3. Payloads being delivered by Nuclear exploit kit. Activity ceases in first week in May.
Russian Arrest Connections?
Given that most of the affected threats have not disappeared entirely, it appears unlikely that they are directly connected to the Lurk group. One possible explanation is that the law enforcement takedown against Lurk could have resulted in the shutdown or seizure of infrastructure used by other attacker groups, who have since been working to resume their operations.
Symantec Security Response is continuing to monitor the situation and will provide further updates if new information comes to light.