Neutrino was discovered in 2012 and remains active, exploiting vulnerabilities in all Java versions at least up to Java 7 Update 11. Neutrino downloads a ransomware variant on the victim’s machine when it successfully finds a vulnerable target. It features a user-friendly control panel, continuously monitors the status of present antivirus software, filters network traffic, and encrypts stolen information before sending it back to the server. Neutrino developers often purchase iframe traffic in order to generate additional revenue. Neutrino EK is available for rent at about $40 per day or $450 per month. Neutrino EK is now equipped with Cryptolocker 2 and CryptoWall 4.0 ransomware and variants of the Kovter malware – click-fraud malware that resides in registry, evading detection. Neutrino EK exploits Flash vulnerabilities including CVE-2015-7645, and uses Google SEO poisoning. Recently, Neutrino has been seen using Microsoft Office macros malware as a vector to spread through spear-phishing emails.

In May, Neutrino became the primary EK distributing CryptXXX ransomware, initiating a significant decline in Angler EK activity. As demand for Neutrino EK increased, the developers chose to increase the price of the EK from $880 per week on a shared server and $3500 per month on a dedicated server to $7000 on a dedicated server, discontinuing the shared server option.

In July, Neutrino EK is the main infection vector for the PizzaCrypts ransomware and is also distributing the Bandarchor and CrypMIC ransomware variants. Neutrino is currently one of the most active EKs and will likely continue adding additional functionality to further increase its usage.


  • December 2016: a Burlington Electric Department employee's work laptop connected to a suspicious IP address after the employee checked his Yahoo email account. The incident was first suspected to be connected to GRIZZLY STEPPE, a Russian hacking operation, but was later determined to be benign. The laptop, however, was infected with the unrelated Neutrino EK. (The Washington Post)
  • July 2016: Neutrino distributes the CrypMIC ransomware. (Trend Micro)
  • July 2016: Neutrino distributes the Bandarchor ransomware. (Malware-Traffic-Analysis)
  • July 2016: Neutrino distributes the Pizzacrypts ransomware. (Sensors Tech Forum)
  • June 2016: Neutrino EK uses fingerprinting techniques to avoid unnecessary attention by determining undesired users –  checking for debuggers, specific software, and operating systems – and terminating malicious activity against these users. (MalwareBytes)
  • May 2016: Neutrino replaces Angler as primary CryptXXX distributor. (iTWire)
  • March 2017: Microsoft has patched a zero-day vulnerability that was used in an AdGholas malvertising campaign that integrated Neutrino. (Bleeping Computer)
  • June 2017: Neutrino appears to have shut down; the last recorded activity was from early April 2017. (Bleeping Computer)
  • July 2017: French domain registrar Gandi had 751 domains hijacked and DNS records changed to redirect traffic to websites hosting the RIG and Neutrino EKs. (BleepingComputer)

Technical Details

One example of the Neutrino EK back-end infrastructure. Image Source: Softpedia