RIG Exploit Kit Still Dominant, but Struggling to Find Revenue
By Allan Liska on May 17, 2018
A recent report from ZScaler confirms previous reporting from Palo Alto’s Unit 42 and others that while the RIG exploit kit (EK) remains the dominant EK, it is far less prevalent than it was a year ago, and the attackers using it are struggling to find an effective revenue model with the continued decline of ransomware.
The RIG EK has undergone a serious makeover over the last few years. At its height in January 2017, RIG was primarily known for distributing ransomware, including Locky, CryptoMix, and Cerber (see the image below). January 2017 was also near the height of ransomware attacks, so it should be no surprise that ransomware was the primary payload for the RIG EK.
It is becoming clear that as widely distributed, non-targeted ransomware attacks have become less effective, the efficacy of the RIG EK has also waned. The image below shows the dwindling discussion around the RIG EK on the dark web.
Interestingly, even though the number of victims successfully exploited by the RIG EK is on the decline, the RIG EK has become more technically effective. The developers behind the RIG EK continue to improve its payloads and loaders, such as the recent introduction of the Grobios loader, so that when it is able to exploit a remote target, there is a greater chance of success.
Better patching practices, more secure browsers, and a drop-off in the use of Adobe Flash have led to the decline of successful exploitations by the RIG EK (and others). So, while RIG is still the most popular EK, it is far less popular than it once was.
This has forced the attackers behind the RIG EK to diversify payloads. Rather than simply focus on ransomware, Recorded Future has observed a multitude of payloads being distributed by the RIG EK over the last three months. In addition to ransomware, there are also cryptominers, banking trojans, and information stealers all being delivered as payloads.
The problem is, the combined revenues from these diverse payloads are significantly less than the revenues from earlier ransomware attacks. Even the GrandCrab ransomware, which is the largest ransomware campaign this year, is seeing significantly fewer infections compared to Locky, Cerber, and others in their heydey.
In other words, the teams behind the RIG EK are forced to diversify their payloads in an attempt to equal the income from previous years, but it does not seem to be working.