Criminals move quickly to other exploit kits after arrest of BlackHole author

Share this article:

Soon after the arrest of “Paunch,” the author of the infamous BlackHole crimeware kit, miscreants began switching out exploits in the kit, researchers found.

On Wednesday, Jeff Williams, director of security strategy for Dell SecureWorks Counter Threat Unit (CTU), told that Reveton ransomware had already been moved from BlackHole to a newer exploit kit, Whitehole, which emerged on researchers' radars in February.

On Tuesday, Troels Oerting, the head of the European Cybercrime Center, confirmed with TechWeekEurope that BlackHole's developer had been arrested. On Monday, Maarten Boone, a security researcher at Dutch security firm Fox-IT, broke the news via Twitter that Paunch was apprehended by Russian police.

“There are other kits out there and we've already seen various exploits move from BlackHole to other kits, like Reveton ransomware,” Williams said in a Wednesday interview. When someone is infected by Reveton, it encrypts the hard drive and gives them to the option to pay to get it unencrypted, he warned.

Criminals spread Reveton via crimeware kits by exploiting vulnerable software on users' machines.  

Often, the malware tricks users into paying the ransom by freezing users' computers and bombarding them with bogus alerts from law enforcement which say they have violated federal law, typically for copyright or child pornography infractions.

In the wake of Paunch's arrest, Williams said that criminals will likely continue to package other exploit kits with BlackHole threats.

“My presumption is that criminals will move to some of these other kits, but I think it's also kind of a warning shot to know that law enforcement are looking actively to keep the perpetrators from carrying out their crimes,” Williams said.

In a Wednesday email to, Steve Santorelli, Team Cymru's director of security research, said that the arrest was liable to have a negligible impact on the black market due to the fast moving nature of the exploit business.

“As ubiquitous as [BlackHole] once was – and many new cyber criminals cut their teeth on it and made a lot of money from it – it's last year's technology. In cyber crime terms, that might as well be last century,” he wrote.

Already this month, criminals have turned to easy-to-use toolkits, like Neutrino, Glazunov and Sibhost, he said.

“They thrive because they are so easy to configure and deploy,” Santorelli said. “They often have good help pages, great and fast technical support and a low price point with regular updates. You don't need to know what's under the hood to drive them, and that's why they are so dangerous.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.