We love to read news reports in which a police force takes down a major crime gang. In one swoop the community is cleansed. Can it happen in the digital world?
Cisco Systems security researcher Nick Biasini raises the question after use of several high regularly-used pieces of malware plunged last month following the arrests of several people in linked to the spread of a Russian-specific piece of malware named Lurk, a banking trojan specifically targeting banks in that country that drained some US$45 million from accounts.
Lurk, he writes, was largely distributed through the Angler exploit kit, which is often used to spread ransomware. But within a week of the arrests Angler — which he calls “the most prolific, successful and sophisticated compromise platform” — has disappeared from threat activity reports. In addition, around the same time as Lurk disappeared so apparently did the Necurs botnet, which Biasini says is thought to be the largest botnet in the world. With Necurs down the spread of Dridex and Locky ransomware dropped as well.
So perhaps a major player has been taken out.
That’s the good news. The bad news is malware activity with the Rig and Neutrino exploit kits is increasing, suggesting surviving threat actors have shifted to other platforms. Worse, though, is the Necurs botnet is back after three weeks.
“There is no way to say for certain that all of these threats are connected,” Biasini admits, “but there is one single registrant account that owned domains attached to all of them. If this one group (in Russia) was running all of these activities this will likely go down as one of the most significant arrests in the history of cybercrime with a criminal organization that was easily earning hundreds of millions of dollars.”
But, as in the physical world, there are many organized crime groups around the planet, and they aren’t connected to each other. They are resilient, agile and well-funded. In the past cyber criminals have been arrested and sometimes jailed, but malware continues to evolve and spread.
“One thing this does show is that despite all the variety and different actors making use of these technologies there potentially was a much smaller group responsible for a far larger chunk of the crimeware space than previously estimated,” says Biasini. “Regardless, the threat landscape associated with crimeware has drastically changed over the last several weeks, and it will be interesting to watch it respond and evolve in the coming months.”