View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
January 8, 2016updated 31 Aug 2016 10:36am

Angler, Ponmocup, CrytpoWall and more: 5 cyber attacks that just won’t go away

Lists: Hackers are reusing code to launch attacks.

By Charlotte Henry

If it ain’t broke, don’t fix it the old mantra goes, and it appears to be one that hackers are living by, if the end of 2015 and start of 2016 are anything to go by as they recycle and reuse previously deployed bits of malware.

Hacking is ultimately a business these days, and it’s more cost effective for hacker groups to use code that has previously been written, than come up with new attacks of their own.

Here are some attacks that just will not go away.


This massive botnet has been around since 2009. Since then it has infected nearly 15m people, and at its peak it had contol of 2.4m devices. When cyber security firm FoxIt documented it in December 2015 the botnet still had a grand total of 1m devices under its control.

The researchers said it is "one of the most successful botnets of the past decade, in terms of spread and persistence" with a "complex, distributed, and extensive, with servers for dedicated tasks."

Ponmocup is hard to find because it uses advanced anti-analysis techniques, and the researcher also found 25 unique plug-ins and 4000 variants.It is mostly used to make money for the attackers, and is thougt to be a multi-million dollar business, probably executed by Russian cyber criminals.


Malvertising was a key security theme of 2015, and it shows little sign of abating in 2016.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

In November 2015 the fourth iteration of the Cryptowall ransomware was discovered, with improved capability to exploit more vulnerabilities as a result of better communications and code in the malware. It was also harder to detect.

This week, Malwarebytes discovered the ransomware was being used to infect PCs with Flash plug-ins that had not been updated.

It was mostly affecting adult websites, which in itself is rather a return form hackers who have previously gone after sites like pornhamster.

The attack was carried out through pop-up adverts on the PopAds advertising network, using the Magnitude Exploit Kit, which then installed the CryptoWall.

Linux Encoder

This attack keeps resurfacing mainly because the hackers behind it keep failing. The first and second versions of the ransomware were ended after just a matter of days, as key bugs in the software allowed files to be decrypted without having to pay the ransom.

It was not third time lucky for the hackers this week though, as Bitdefender busted their latest attempt when it had only infected 600 servers. The firm identified the malware, and makd tools available to once again easily decrypt files.

Bitdfender’s Radu Caragea said: "As we expected, the creators of Linux.Encoder have fixed their previous bugs and have come up with a new and improved variant.

"Luckily for the victims, the new variant of Linux.Encoder is still vulnerable to key recovery attacks."


The BlackEnergy Trojan is widely thought to be behind the hack on the Ukranian power grid that took out electricity for hundreds of thousands of Ukrainians just before Christmas 2015, but it was far from a new development.

Steve Ward, senior director at iSight partners, told CBR that the Trojan had been loitering around the webs criminal underwold for a long while before it was used to deliver this particular payload.

That payload involved the KillDisk, which Symantec identified as having previously been used to attack Ukranian media outlets, and iSight believe the perpetrators had previously attacked EU and US Scada systems.

Angler Exploit Kit

The Angler exploit kit, which first appeared in 2013, is still widely used by cyber criminals. It is very aggressive in the way it avoids detection by security products, and multiple variations of it have occurred.

Websense considered it to be the most advanced piece of malware on the internet, as a result of what it described as "unique" obfuscation, fileless infections and encryption methods.

Angler was detected regularly throughout 2014, and in the later part of 2015. Indeed, in December a group of hackers placed it into a Guardian article.

The article was asking ‘Is cyber crime out of control?’ ….

And something new


This new piece of malware is almost terrifying in its simplicity, and is designed to be used for those that want to carry out an attack, but do not have the technical know how to do so. It is freely downloadable from a site on the dark web, with the developers take a 25% cut of any ransom received via a bitcoin wallet.

Ransom 32 is thought to be the first piece of malware written using HTML, CSS and Javascript. Users can configure the malware within the software, and it looks to be the start of ransomware-as-a-service.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.