The Angler exploit kit is a pre-packaged toolkit sold on the dark web that criminals use to distribute malware.
With an exploit kit, would-be attackers no longer need to find bugs in software; develop ways to exploit them; set up or take over web servers to host these exploits; and lure victims to booby-trapped websites known as landing pages. Likewise, exploit kit makers do not need to write malware; or keep track of infected computers; or collect money from victims; or exfiltrate and sell stolen.
When a vicitm visits a booby-trapped site they’re redirected to a website that hosts the Angler exploit kit. Here, Angler attempts to systematically exploit the victim with a list of known vulnerabilities (in Flash, Silverlight, Java, JavaScript…) and deliver the payload.
if Flash is installed
try exploit #1
if exploit works, deliver payload
else try exploit #2
if JavaScript is installed
try exploit #1
...
else give up
When a vulnerability can be exploited, Angler typically downloads the payload from a third web page. Although this can be any type of malware - like a password stealer or adware - ransomeware now makes up a significant portion of payloads.
You can read more about Angler on the Sophos website, which also contains news about how the exploit kit is now used to deliver Ransomeware.