Following the shuttering of the Necurs botnet, used to send out malicious email blasts delivering Locky and Dridex, a number of security researchers noticed a subsequent drop in Angler exploit kits and other malware campaigns.
But, early last week, researchers at SANS ISC and Malwarebytes observed that campaigns were now using Neutrino EK to distribute CryptXXX ransomware, which had previously only been observed dropping via Angler EK.
Concurrently, a researcher at Proofpoint, noted that Angler EK activity ceased after June 7, which the company has since corroborated.
"Shifting from one exploit kit to another is nothing new and threat actors may even use more than one regularly," the researchers at Proofpoint said.
Despite the reduction in activity, though, the Proofpoint researchers expect the lull to eventually give way to an increase in ransomware. "As long as there is money to be made, threat actors will continue to innovate," they said.