RIG exploit kit has been detected to spread ERIS ransomware. This means that the infection vector is based simply on visiting a compromised website which downloads the malicious payload on victims’ computers.
It is curious to mention that the same exploit kit was used in June to distribute Buran ransomware, which is a version of Vega (VegaLocker) ransomware. A security researcher known as nao_sec was the first to notice a malvertising campaign redirecting users to the RIG EK whichdropped the Buran ransomware on infected systems.
As for Eris ransomware, it was detected in May this year by Michael Gillespie when it was submitted to the ID Ransomware site. The ransomware was recently observed by security researcher nao_sec being spread by RIG exploit kit in a malvertising campaign, meaning that its infection numbers are very likely to increase.
Malvertising Campaign Using RIG EK Spreads ERIS Ransomware
According to nao_sec’s recent observations, there is a malvertising campaign utilizing the Popcash ad network which redirects users to the RIG exploit kit. Later down the infection chain, the attack will try to exploit a Shockwave browser vulnerability. In case of a successful exploit, ERIS ransomware is downloaded onto victims’ computers.
ERIS ransomware also known as the.ERIS Files Virus encrypts users’ files and shows a ransomware note, called @ READ ME TO RECOVER FILES @.txt. You can see the note below:
*** READ THIS FILE CAREFULLY TO RECOVERY YOUR FILES ***
ALL OF YOUR FILES HAVE BEEN ENCRYPTED BY “ERIS RANSOMWARE”!
USING STRONG ENCRYPTION ALGORITHM.
Every your files encrypted with unique strong key using “Salsa20” encryption algorithm:
Which is protected by RSA-1024 encryption algorithm:
shadow copy, F8 or recuva and other recovery softwares cannot help you, but cause Irreparable damage to your files!
Technically no way to restore your files without our help.
we only accept cryptocurrency Bitcoin (BTC) as payment method! for cost of decryption service.
For speed and easily, please use localbitcoins website to purchase Bitcoin:
* WE OFFER YOU 1 FREE FILE DECRYPTION (<1024 KB) WITHOUT ANY COST! TO TRUST OUR HONESTY BEFORE PAYMENT. THE SIMPLE FILES MUST NOT BE ARCHIVED! * YOUR SPECIAL DECRYPTION PRICE IS $825 IN Bitcoin! -----BEGIN ERIS IDENTIFICATION----- [redacted 0x48A bytes in base64] -----END ERIS IDENTIFICATION----- =========================================================================================================== (Decryption Instructions) 1. Send your "ERIS IDENTIFICATION" with one simple of your encrypted files (<1024 KB) to our email address: firstname.lastname@example.org 2. Wait for reply from us. (usually in some hour) 3. Confirm your simple files are decrypted correct and ask us how to pay to decrypt all your files. 4. We will send you payment instructions in Bitcoin. 5. You made payment and send us TXID of Bitcoin transfer. 6. After we confirm the payment, you will soon get decryption package and everything back to normal. * IN CASE OF FOLLOWING OUR INSTRUCTION, FAST AND EASILY EVERYTHING IS BACK TO NORMAL LIKE THAT NEVER HAPPENED! BUT IF YOU USE OTHER METHODS (THAT NEVER EVER HELPS) YOU JUST DESTROY EVERYTHING FOR GOODNESS! BE A SMART AND SAVE YOUR FILES! NOT A FOOL! =========================================================================================================== =============================== * DO NOT MODIFY ENCRYPTED FILES * DO NOT MOVE ENCRYPTED FILES * DO NOT USE RECOVERY SOFTWARES =============================== ============================================================================================= (Frequently Asked Questions) Q: I can not pay for it, what I do now? A: Format your hard disk, re-install your softwares and start everything from begin! Q: What a guarantee I can recovery my files after payment? A: There is no any reason for us to do not give you decryption software and your special key. The only our goal is help you not hurt! =============================================================================================
About a year ago, in June 2018, attackers were compromising websites to inject a malicious script that redirected potential victims to landing pages belonging to RIG. Back then, security researchers observed Rig implementing a cryptocurrency miner as the final payload of the operation.
According to Trend Micro, Rig operators had added a particular vulnerability to their exploit arsenal – CVE-2018-8174. The vulnerability affects systems running Windows 7 and later, and it uses Internet Explorer and Microsoft Office documents using the vulnerable script engine.
By the looks of it, cybercriminals will continue to utilize RIG exploit kit in various campaigns spreading ransomware, cryptocurrency miners and other malware.