Cybercriminals Spread Sodinokibi Ransomware Through RIG Exploit Pack

Sodinokibi Spread Through RIG Exploit
Written by Brendan Smith

The cybercriminals behind the Sodinokibi ransomware use the RIG exploit pack to spread malware to target machines.

Attackers exploit bugs in browsers to covertly set payloads and block files. The initial infection occurs through advertising banners on blogs and online games. The ad leads the victim to a criminal resource that secretly tries to run a malicious script from the RIG arsenal on the computer.

Cybercriminals operate through Flash vulnerabilities in browsers and, if they successfully exploited, send a payload to the device. The attack does not require user interaction.

As the exploit kit will install the ransomware without the user’s knowledge, other than the suspicious Internet Explorer crash, most users will not know they are infected until the ransomware has finished”, — reports Bleeping Computer magazine.

At the first stage, an obfuscated VBS script is delivered to the machine using malicious JavaScript, which acts as a loader and installer for Sodinokibi. The ransomware secretly encrypts files, after which it sets the desktop wallpaper and creates a text document with a ransom demand. The malware assigns a unique identifier to the infected device and adds it as an extension to all encoded objects.

Read also: Researchers Create Free Nemty Ransomware Decryptor

An information security specialist with the pseudonym mol69 spoke about the new attack vector on Twitter. According to the expert, the campaign is aimed at users from Southeast Asian countries.

This new malvertising campaign is targeting Internet Explorer users from Vietnam, Korea, Malaysia and possibly other Asian countries”, — said mol69.

A little later, the analyst said that attacks are also conducted through the Fallout exploit pack.

In September of this year, an independent researcher nicknamed Security Aura found that cybercriminals used overlays on hacked sites to distribute Sodinokibi. According to him, the attackers injected a script into the code of the vulnerable WordPress resource that displayed a frame with a fake Internet forum on top of the legitimate page, where one of the messages contained a malicious link. For more convincing messages, the branches were selected taking into account the subject of the infected site.


Unfortunately, currently there is no free method of decrypting the Sodinokibi/REvil Ransomware. Users are advised to restore from backups if it is at all possible rather than paying the ransom.

Read also: IS researchers believe ‘REvil’ is GandCrab rebranding

As always, to protect yourself from exploit kits, users should always have the latest Windows updates installed, their programs update, and to upgrade any web applications that require Internet Explorer as the RIG exploit kit only targets this outdated browser.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Brendan Smith

I'm Brendan Smith, a passionate journalist, researcher, and web content developer. With a keen interest in computer technology and security, I specialize in delivering high-quality content that educates and empowers readers in navigating the digital landscape.

With a focus on computer technology and security, I am committed to sharing my knowledge and insights to help individuals and organizations protect themselves in the digital age. My expertise in cybersecurity principles, data privacy, and best practices allows me to provide practical tips and advice that readers can implement to enhance their online security.


  1. MLG420 November 16, 2019
    • MLG420 November 16, 2019

Leave a Reply