Cybercriminals Spread Sodinokibi Ransomware Through RIG Exploit Pack

by Brendan Smith
December 24, 2019

The cybercriminals behind the Sodinokibi ransomware use the RIG exploit pack to spread malware to target machines.

Attackers exploit bugs in browsers to covertly set payloads and block files. The initial infection occurs through advertising banners on blogs and online games. The ad leads the victim to a criminal resource that secretly tries to run a malicious script from the RIG arsenal on the computer.

Cybercriminals operate through Flash vulnerabilities in browsers and, if they successfully exploited, send a payload to the device. The attack does not require user interaction.

As the exploit kit will install the ransomware without the user’s knowledge, other than the suspicious Internet Explorer crash, most users will not know they are infected until the ransomware has finished”, — reports Bleeping Computer magazine.

At the first stage, an obfuscated VBS script is delivered to the machine using malicious JavaScript, which acts as a loader and installer for Sodinokibi. The ransomware secretly encrypts files, after which it sets the desktop wallpaper and creates a text document with a ransom demand. The malware assigns a unique identifier to the infected device and adds it as an extension to all encoded objects.

Read also: Researchers Create Free Nemty Ransomware Decryptor

An information security specialist with the pseudonym mol69 spoke about the new attack vector on Twitter. According to the expert, the campaign is aimed at users from Southeast Asian countries.

This new malvertising campaign is targeting Internet Explorer users from Vietnam, Korea, Malaysia and possibly other Asian countries”, — said mol69.

A little later, the analyst said that attacks are also conducted through the Fallout exploit pack.

In September of this year, an independent researcher nicknamed Security Aura found that cybercriminals used overlays on hacked sites to distribute Sodinokibi. According to him, the attackers injected a script into the code of the vulnerable WordPress resource that displayed a frame with a fake Internet forum on top of the legitimate page, where one of the messages contained a malicious link. For more convincing messages, the branches were selected taking into account the subject of the infected site.

Recommendations:

Unfortunately, currently there is no free method of decrypting the Sodinokibi/REvil Ransomware. Users are advised to restore from backups if it is at all possible rather than paying the ransom.

Read also: IS researchers believe ‘REvil’ is GandCrab rebranding

As always, to protect yourself from exploit kits, users should always have the latest Windows updates installed, their programs update, and to upgrade any web applications that require Internet Explorer as the RIG exploit kit only targets this outdated browser.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Brendan Smith

Cybersecurity analyst with 15+ years digging into malware and threats, from early days reverse-engineering trojans to leading incident responses for mid-sized firms.

At Gridinsoft, I handle peer-reviewed breakdowns of stuff like AsyncRAT ransomware—last year, my guides helped flag 200+ variants in real scans, cutting cleanup time by 40% for users. Outside, I write hands-on tutorials on howtofix.guide, like step-by-step takedowns of pop-up adware using Wireshark and custom scripts (one post on VT alternatives got 5k reads in a month).

Certified CISSP and CEH, I’ve run webinars for 300+ pros on AI-boosted stealers—always pushing for simple fixes that stick, because nobody has time for 50-page manuals. Tools of the trade: Splunk for hunting, Ansible for automation, and a healthy dose of coffee to outlast the night shifts.

View all posts

2 Comments

  1. MLG420 November 16, 2019

    Mine data was encrypted online 🙁

    Reply
    • MLG420 November 16, 2019

      By peet ransomware what can I do?

      Reply

Leave a Reply

Sending