2016 saw dramatic changes in the exploit kit environment. At the start of the year, Angler, Nuclear, Neutrino, and RIG were clear leaders among exploit kits. By November, RIG was the only one from that group still active. As Figure 10 shows, exploit kit activity dropped off significantly around June.

Nuclear was the first to disappear, suddenly ceasing operation in May. Why its authors abandoned it is a mystery. The Neutrino exploit kit, which also left the scene in 2016, relied on Flash files to deliver vulnerabilities. (See Figure 11 on next page for a list of top vulnerabilities in known exploit kits in 2016.)

...

Angler—the most advanced and largest among known exploit kits—also targeted Flash vulnerabilities and was linked to several high-profile malvertising and ransomware campaigns. However, unlike Nuclear and Neutrino’s disappearance, Angler’s departure in 2016 is not a mystery.

In late spring, about 50 hackers and cybercriminals were arrested in Russia; the group was linked to the Lurk malware, a banking Trojan that specifically targeted Russian banks.¹⁰ Cisco threat researchers identified clear connections between Lurk and Angler, including the fact that Lurk was being delivered largely through Angler to victims inside Russia. Following the arrests, Angler vanished from the exploit kit marketplace.¹¹

High