Threat Management, Incident Response, Malware, TDR

Criminals move quickly to other exploit kits after arrest of BlackHole author

Soon after the arrest of “Paunch,” the author of the infamous BlackHole crimeware kit, miscreants began switching out exploits in the kit, researchers found.

On Wednesday, Jeff Williams, director of security strategy for Dell SecureWorks Counter Threat Unit (CTU), told that Reveton ransomware had already been moved from BlackHole to a newer exploit kit, Whitehole, which emerged on researchers' radars in February.

On Tuesday, Troels Oerting, the head of the European Cybercrime Center, confirmed with TechWeekEurope that BlackHole's developer had been arrested. On Monday, Maarten Boone, a security researcher at Dutch security firm Fox-IT, broke the news via Twitter that Paunch was apprehended by Russian police.

“There are other kits out there and we've already seen various exploits move from BlackHole to other kits, like Reveton ransomware,” Williams said in a Wednesday interview. When someone is infected by Reveton, it encrypts the hard drive and gives them to the option to pay to get it unencrypted, he warned.

Criminals spread Reveton via crimeware kits by exploiting vulnerable software on users' machines.  

Often, the malware tricks users into paying the ransom by freezing users' computers and bombarding them with bogus alerts from law enforcement which say they have violated federal law, typically for copyright or child pornography infractions.

In the wake of Paunch's arrest, Williams said that criminals will likely continue to package other exploit kits with BlackHole threats.

“My presumption is that criminals will move to some of these other kits, but I think it's also kind of a warning shot to know that law enforcement are looking actively to keep the perpetrators from carrying out their crimes,” Williams said.

In a Wednesday email to, Steve Santorelli, Team Cymru's director of security research, said that the arrest was liable to have a negligible impact on the black market due to the fast moving nature of the exploit business.

“As ubiquitous as [BlackHole] once was – and many new cyber criminals cut their teeth on it and made a lot of money from it – it's last year's technology. In cyber crime terms, that might as well be last century,” he wrote.

Already this month, criminals have turned to easy-to-use toolkits, like Neutrino, Glazunov and Sibhost, he said.

“They thrive because they are so easy to configure and deploy,” Santorelli said. “They often have good help pages, great and fast technical support and a low price point with regular updates. You don't need to know what's under the hood to drive them, and that's why they are so dangerous.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.