There is a lot of chat and buzz on Twitter, Facebook, private forums and mailing lists amongst security researchers and Anti-malware companies this last week. It has been extremely quiet, malware wise, with a vastly reduced, in fact almost non existent flow of mass malspam.
We have been so used to seeing daily malspam campaigns from the Dridex and Locky groups, that we all worry when nothing is seen for a few days. Almost 10 days is totally unprecedented. Questions are being asked. “What is Happening?”
Several explanations are being put forward, all of which are plausible, but we just don’t know and are waiting with baited breath for the next outbreak to occur.
Some suggestions include, the recent well publicised arrests in Russia, which might have included the leaders of the Locky / Dridex malware gangs. It might be that these gang members and leaders have decided to take a short break, until the furore has died down and stay under the radar and will bounce back in few days, stronger and more aggressive to make up for lost time & money.
Another suggestion is that the gang leaders are having a break from activities to visit the various security conferences and exhibitions this week Bsides & InfoSec Europe, where they will see what the mainstream and smaller anti-malware companies are coming up with and develop workarounds accordingly.
Other suggestions infer that ISIS or other Islamic Terrorist groups or their supporters have infiltrated the gangs and virtually taken them over. They have decided to be good Muslims and are taking a break from nefarious activities during the Islamic holy month of Ramadan. Personally, I find this difficult to believe, but it is possible. It isn’t the infiltration that is hard to believe, but the taking a break from their nefarious activities and criminal behaviour during Ramadan.
The other most likely scenario, in my personal opinion, is that recently, the returns on investment have been so poor, due to actions from Researchers, Anti-Virus companies and ISPs that they are regrouping and developing even more dangerous and hard to detect or prevent versions of the malware and delivery methods. The mass generic malspam over the last few months has been declining in quality, so easy to recognise as malspam and nowhere near as effective in fooling users as older versions with better crafted and more plausible emails.
Looking back over the years, I know which one of these 3 emails I would be more likely to fall for.
There are still other malware campaigns continually running and being delivered via email, as well as using compromised and infected websites and adverts etc. Brad from Malware Traffic mentions some of them in THIS blog post on Sans InfoSec website.
To sum up, don’t relax your vigilance. Give thanks for a few days or weeks rest from the major onslaughts and defending against malware, phishing and malspam. Gird your loins and be prepared to come back into fray, slightly more refreshed and ready to do battle.