Angler exploit kit rings in 2016 with CryptoWall ransomware

Thanks to Fraser Howard of SophosLabs for his behind-the-scenes work on this article.

What do cybercrooks do over New Year?

Some of them, you probably won’t be surprised to learn, take a vacation, or something resembling one.

At least, that’s what SophosLabs noticed from the crooks behind the notorious Angler exploit kit, activity from which seemed to drop off on New Year’s Eve.

(Or perhaps the rest of the world simply took a break from surfing the internet and concentrated on other things, such as watching the fireworks, first-footing neighbours, or swigging down refreshing beverages, leaving Angler with not much online action upon which to intrude.)

Whatever happened on New Year’s Eve, however, wasn’t the end of Angler, because it was soon back to its 2015 infection levels.


To explain: an exploit kit is a pre-packaged toolkit of malicious web pages that crooks can buy, license or lease for the purpose of distributing malware.

In other words, if you have some shiny new malware – ransomware, perhaps, or a zombie, or a password stealer – you can use an exploit kit to deliver that malware to unsuspecting victims.

Instead of figuring out how to booby-trap your own web pages so that visitors end up infected, you rely on pre-prepared attack code in an exploit kit to try out a series of known security holes, in the hope that one will succeed.

An exploit kit is usually delivered directly into a potential victim’s browser in the form of convoluted and hard-to-follow JavaScript, and automatically tries out a series of attacks, typically in the most likely sequence, until one of them works, or they’ve all failed, something like this:

if java installed then  
   try java exploit 1
   if exploit worked then install malware end   
if silverlight installed then
   try silverlight exploit 1
   if exploit worked then install malware end   
   try silverlight exploit 2
   if exploit worked then install malware end   
if flash is installed then
if nothing worked then give up end

The same exploit kit can be used to deliver multiple different malware samples; and the same malware sample can be delivered by one or more different exploit kits.


Thanks to exploit kits, malware authors don’t need to worry about how to find bugs in Java, or Silverlight, or Flash; how to build those bugs into working exploits; how to find insecure web servers to host the exploits; or how to entice prospective victims to the booby-trapped web pages.

Likewise, the exploit kit authors don’t have to worry about writing full-blown malware; they don’t have to run servers to keep track of infected computers, or to collect money from individual victims; they don’t have to get involved in exfiltrating stolen data, or selling that data on, and so forth.

Each group specialises in one or more parts of the threat landscape, in what’s become known, satirically, as CaaS, or Crimeware-as-a-Service.

Interestingly, even though an exploit kit can in theory be used to deliver almost any sort of malware (indeed, the crooks can choose which malware to implant at runtime if they want), SophosLabs has found that so far in 2016, Angler’s biggest partners in crime are…

…the guys behind the CryptoWall ransomware.


If you’ve been reading Naked Security lately, you’ll know that CryptoWall 4.0 is latest version of this ransomware family.

Version 4 is very similar to earlier versions, inasmuch as it scrambles all your files using a cryptographic key that is known only to the crooks, whereupon the malware offers to sell you the key for a few hundred dollars.

If you don’t have a decent backup, and you want to recover your data, you don’t have much choice but to pay up.

The CryptoWall crooks, for better or for worse, have established a reputation for what counts as honesty amongst rogues. If you pay, you almost certainly will receive your key, and you almost certainly will get your data back. Unfortunately, each key is unique to a single infection, so you can’t join forces with other victims to share the cost. Each victim stands or falls alone.

But there are some curious differences in CryptoWall 4.0, too, notably that it doesn’t just scramble your files and then wait for you to open one of them and receive an error.

CryptoWall 4.0 is much more in-your-face than previous versions, scrambling your filenames as well as their contents, to make the extent of its damage much more immediately obvious:


To boost your defences against exploit kits:

  • Patch early, patch often. If you have already closed the holes that an exploit kit is programmed to try, all its alternatives will fail and the exploit kit will be useless.
  • Remove unused browser plugins. If you don’t need Java (or Silverlight, or Flash) in your browser, uninstall the plugin. An exploit kit can’t attack a browser component that isn’t there.
  • Use an active anti-virus and web filter. Good virus detection tools will block the whole exploit kit if even one its components (or associated web pages) is suspected.

To boost your defences against ransomware, try all of the above, plus:

  • Make regular backups, and keep a copy offsite. If you encrypt your backups, then you can store them at a friend’s house (and vice versa) without each of you worrying about what happens if the other’s home gets burgled.
  • Use administrative accounts only when necessary, not all the time. Most ransomware will scramble any file to which it has write access, even if it’s on a removable device or a network drive.


• Angler exploit kit delivery pages: Mal/Redir-AE
• CryptoWall 4.0 ransomware: HPMal/Ransom-(I,R)

Image of Angler fish courtesy of Shutterstock.