The Rig exploit kit, once used almost exclusively to deliver ransomware, is now not only no longer delivering that malware but has experienced a 96 percent reduction in overall usage.
This according to a study from Palo Alto Network’s researcher Brad Duncan who used Autofocus to search for items tagged RigEKFlashContainer to check on the change in Rig’s usage from January 2018 to Janouary 2018. He found that last year there were 812 hits on Rig with just 65 in 2018.
He cited several reasons for the decline in EK usage, primarily better browser protection and the arrest of several criminal gangs that favored Rig. These cybercriminals have also turned to using social engineering, tech support scams and fake browser plugins to spread their malware instead of Rig.
Those individuals and groups who just can’t stop using Rig have decided that pushing ransomware is no longer the best way to utilize the kit.
“Campaigns using Rig EK have mostly forsaken ransomware and now focus more on coin miners,” Duncan said, adding a few instances of Rig being used to place the Bunitu proxy trojan, Ngay RAT and Ramnit banking trojan were also spotted during January.
How strongly threat actors have turned toward cryptomining can be in another Autofocus search Duncan conducted. A search for various coin miners that were distributed this January found 65,512 samples, compared to just 2,368 last year at the same time.