The Russian Magnitude malware exploit kit has moved on to the territory vacated by the defunct Blackhole Exploit Kit after successfully developing a new and highly profitable business model, according to security firm Trustwave.

The firm’s figures show that Magnitude (aka PopAds) now holds a 31 percent market share, not quite the vast and commanding share that Blackhole once enjoyed but good enough to mark it out as the leading automated malware platform for now.

Crimeware kits – better thought of as software platforms - matter for criminals because they offer a robotic way for gangs to start, manage and reap the profits of malware attacks without having to do the programming themselves. Crimeware platforms will even deploy exploits against software vulnerabilities, including zero days, and can be upgraded over time was new ones become available.

For the last three years or so the business model of these platforms has been akin to software-as-a-service, with the platform rented out on a commercial basis. Recently, however, Magnitude’s developers seem to have tried a new model based on taking a pre-agreed percentage of between 5 and 30 percent of the victim traffic grabbed by each campaign.

As Trustwave agrees, this doesn’t sound like a good deal, and in the past it wouldn’t have been.  What seems to have changed this is a combination of the considerable profits on tap from a single type of malware, ransomware, and the untraceable nature of the Bitcoin currency.

The firm said it had found $60,000 (£35,000) in the digital wallet of one cybercriminal wielding the CryptoWall ransom Trojan, a finding that chimes with that of another security firm, PhishMe, which recently discovered a separate wallet that had raided over $700,000-worth of Bitcoins from the same malware.

Clearly, the profits on offer from ransom malware are just too large and easy to rent out cheaply.

To offer some idea of how many individual systems are being hit by Magnitude-directed attacks, TrustWave discovered that the one-month total recently reached 210,000 out of a possible 1.1 million attacks attempted, including 32,000 infections in the US alone.

As well as the US, many other successful attacks were recorded against PCs in Ireland, Vietnam, Argentina, and India.

The analysis does at least offer some interesting clues that Magnitude’s developers are growing wary of police intervention, noting that it no longer accepted traffic from a range of mostly central Asian and African countries that turned out to have extradition arrangements with the authors’ home country, Russia.

The fact that the once mighty Blackhole Exploit Kit was destroyed almost overnight last December after its alleged creator Paunch was arrested in Russia probably also explains the desire to be more careful. Paunch serves as a warning that the golden age of effortless, risk-free malware systems is now probably over.

A separate Cisco report confirms the waning of exploit kits in general with overall traffic from this type of platform dropping massively after Blackhole’s demise. Paunch was just too big, too greedy and too successful. Perhaps the makers of Magnitude can avoid his fate by treading more carefully.