RIG was discovered in 2014 and remains one of the most active exploits kits today. In February 2015, a security researcher from MalwareTech reported that an underground reseller leaked RIG’s source code after being banned from a hacker forum for trying to scam customers. However, on August 3, 2015, Trustwave reported that the author of the original RIG EK released an updated version, labeled RIG 3.0, which maintains the exploitation percentage of the previous version while vastly increasing the number of times it exposes victims to its landing page. After monitoring RIG 3.0 over a six-week period, Trustwave SpiderLabs researchers observed an average infection rate of 27,000 machines per day, totaling over 1.3 million infections worldwide.

RIG 3.0 targets vulnerabilities in Java, Internet Explorer, Flash, and Silverlight, and spreads through malvertisements on web pages. According to Heimdel Security, more than 50 percent of Windows 7 devices running Internet Explorer 9 are exploited by RIG EK through two Flash vulnerabilities (CVE-2015-5119 and CVE-2015-5122). RIG EK has recently been seen spreading through drive-by attacks using Google search engine optimization (SEO) poisoning and malvertising. In December 2015, Cyphort discovered RIG was infecting victims with Radamant ransomware.

After the April-May 2016 decrease in Angler and Nuclear EK activity, RIG EK activity has increased, making it the third-most used EK at about 15 percent of all EK activity.

In June, researchers from Palo Alto Networks discovered the RIG EK distributing the CryptoBit ransomware, also referred to as "CriptoBit" and "Mobef”.


  • January 2016: RIG EK activity increase during Angler EK break. (CSO)

  • June 2016: RIG distributes the CyptoBit ransomware. (Palo Alto Networks)

  • June 2016: Increase in RIG EK activity. (Threatpost)

  • November 2016: A variant of RIG, labeled "RIG-Empire Pack" or "RIG-E", is distributing the CryptoLuck ransomware to victims. (Bleeping Computer)

  • November 2016: A variant of RIG, labeled "RIG-V” for “VIP", is distributing the Cerber ransomware. (Bleeping Computer)

  • December 2016: For the fourth month in a row, RIG was the top EK in December, accounting for 34.8% of overall EK activity that month. All other EKs accounted for small percentages of the EK landscape. (Security Week)

  • January 2017: The EK is distributing a new CryptoMix/CrypMix variant CryptoShield 1.0 ransomware. (Bleeping Computer)

  • January 2017: RIG is distributing Sage ransomware. (Bleeping Computer)

  • January 2017: RIG-V is now distributing the Spora ransomware. (Bleeping Computer)

  • January 2017: The latest version of the RIG exploit kit is taking advantage of outdated versions of applications such as Flash, Internet Explorer, or Microsoft Edge to distribute the Cerber ransomware. (ISS Source)

  • February 2017: CryptoShield infections delivered by RIG have increased in early 2017. (ThreatPost)

  • March 2017: New RIG landing pages hosted in South America, Southeast Asia, and Australia, signifying an effort to increase its target demographics and potential victim pool. (SCmagazine)

  • March 2017: Distributing the CryptoMix variant, Revenge Ransomware. (BleepingComputer)

  • March 2017: In a possible distribution test, compromised sites are directing victims to the RIG EK that then identifies vulnerabilities it can use to deliver the new PyCL Ransomware. (Bleeping Computer)

  • March 2017: RIG EK is distributing the Ramnit trojan in a new malware campaign, dubbed “Seamless.” The cybercriminals compromise websites and inject malicious iframes that attempt to deliver the malware. (Cisco)

  • April 2017: RIG EK is distributing the new Matrix ransomware targeting Windows operating systems. (Bleeping Computer)

  • April 2017: RIG-V is distributing the Moker trojan. (MalwareBytes)

  • May 2017: Multiple Malvertising campaigns deliver the RIG EK which distributes LatentBot, Philadelphia ransomware, and Pony and Ramnit trojans. (MalwareBreakdown)

  • June 2017: RIG operators have suffered a major setback as tens of thousands of shadow domains were shut down and removed from the RIG EK infrastructure following a joint operation involving various industry leaders, dubbed "Shadowfall." (BleepingComputer)

  • June 2017: RIG EK usage declines as browsers security has improved. (BleepingComputer)

  • July 2017: French domain registrar Gandi had 751 domains hijacked and DNS records changed to redirect traffic to websites hosting the RIG and Neutrino EKs. (BleepingComputer)

  • October 2017: RIG is distributing the Matrix ransomware. (Bleeping Computer)

  • December 2017: Seamless campaign serves RIG EK via Punycode. (Malwarebytes)

  • January 2018: RIG EK delivering malicious cryptocurrency mining payloads. (Malwarebytes)

  • January 2018: GandCrab being distributed through the RIG exploit kit. (BleepingComputer)

  • January 2018: RIG EK is delivering the Ramnit trojan and the AZORult malware. (Malware-Traffic-Analysis)

  • February 2018: RIG EK Delivers Ramnit trojan in Seamless campaign. (Malware-Traffic-Analysis)

  • February 2018: RIG EK malvertising campaign uses cryptocurrency theme as decoy. (Malwarebytes)

  • May 2018: RIG Exploit Kit Delivering Grobios Trojan. (Trend Micro)

  • June 2018: RIG Exploit Kit using CVE-2018-8174 to deliver XMRig Monero miner. (Trend Micro)

  • July 2018: RIG is delivering a Monero miner via the PROPagate injection technique. (FireEye)

  • August 2018: RIG is distributing the CeidPageLock Chinese rootkit. (Check Point)

  • June 2019: The RIG exploit kit is now infecting victim's computers with a new ransomware variant called Buran. This ransomware is a variant of the Vega ransomware that was previously being distributed through Russian malvertising campaigns. (Bleeping Computer)

  • July 2019: RIG Exploit Kit has been observed distributing ERIS Ransomware through a malvertising campaign. This technique was also discovered by researchers in June 2019 distributing payloads of Sodinokibi Ransomware. (Bleeping Computer 1, 2)

  • August 2019: RIG malware is targeting users searching for security software on the internet. These searches can turn up various results, some of which contain malware in the downloadable tools and redirects the user to ad networks. Eventually, a request is sent to X-Adblock-Key to obtain an API key, which allows ads to bypass most of the popular ad blockers, further infecting the end users operating system (Koddos).

Technical Details

  • February 2017: Security researcher for RSA provides technical details on the RIG EK, available here.

One example of the Rig EK back-end infrastructure. Image Source: SCMagazine