Sodinokibi Ransomware Pushed by Malvertising and Exploit Kits


The Sodinokibi Ransomware was found to be delivered through malvertising to the RIG exploit kit. Sodinokibi is now using exploit kits to infect victims with the ransomware using a broad stream of vectors.

Last week we discussed how Sodinokibi rapidly filled the vacuum left by GandCrab, by distributing spam, server exploits, hacking sites to replace lawful software with rankings and hacking into MSP backends.

These are comparable strategies used in the past by GandCrab and you can see how Sodinokibi has grown based on its ID-Ransomware submissions.

Last night, exploit kit investigator nao sec found that Sodinokibi, also known as REvil, is spread now through malvertising that leads to the exploit kit of RIG.


Nao sec informed BleepingComputer that this was accomplished through PopCash ad network advertisements that redirected users based on certain circumstances to the exploit kit. Through this session, shown below, Nao sec was able to show how the exploit kit infected a Windows computer.

This ransomware is set to be a large player in the ransomware room by adding exploit kits to the distribution arsenal.

Sodinokibi Ransomware installed via Malvertising from on Vimeo.

As exploit kits depend on outdated software, the best defense is to ensure that you have installed all the recent safety updates for Windows, as well as updates for Flash, Java, PDF readers and browsers. Outdated and susceptible software can only open you up to the risk of infection.

Image credit: BleepingComputer

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.