Rewterz Threat Alert – Sodinokibi Ransomware Targeting Asia via the RIG Exploit Kit

Tuesday, November 12, 2019



Analysis Summary

A new malvertising campaign being used on low quality web games and blogs is redirecting Asian victims to the RIG exploit kit, which is then quietly installing the Sodinokibi Ransomware. This new malvertising campaign is targeting Internet Explorer users from Vietnam, Korea, Malaysia and possibly other Asian countries. When browsing the web, the malvertising campaign will redirect users to a RIG exploit kit gateway that will attempt to exploit Flash vulnerabilities in the browser. If successful, a user will see Internet Explorer begin to crash and various alerts from the Windows Script Host as shown below.

RIG Exploit kit in Internet Explorer

This is because the exploit kit will execute a JScript command that downloads an obfuscated VBScript script. This VBScript will then download and install the Sodinokibi Ransomware, also known as REvil, on the victim’s computer. Once executed, the ransomware will begin to encrypt the victim’s files. As the exploit kit will install the ransomware without the user’s knowledge, other than the suspicious Internet Explorer crash, most users will not know they are infected until the ransomware has finished. They will then notice that they are unable to access their documents and that their desktop wallpaper has been changed to instructions telling the victim to open the ransom note.

REvil/Sodinokibi  Ransom Note

Users are advised to restore from backups if at all possible rather than paying the ransom.


Files Encryption

Indicators of Compromise

Domain Name

  • palmecophilippines[.]com
  • sppdstats[.]com
  • kryptos72[.]com
  • ruggestar[.]ch
  • vedsegaard[.]dk


  • e9075f6bb4802b4cb56eec65f2899d67
  • 610c9c5f0686dfc0fcd6d68778ce5025


  • fba829759d359dea91db09ac8b4674237d8dbc57ec8b76a3ebf227da9ae96535
  • e7f9c0229c0874c069c2f3dcf237e1ee334ac4f9bc955be8146d07941ff35790


  • 4c7da5878b1a233b46f5e80f748b57dba5c8d8f0
  • 3d241b2c1b201205761ce10b381727b0c7fbc24a

Source IP

  • 74[.]220.215[.]214
  • 141[.]98.199[.]99
  • 35[.]204.114[.]36
  • 92[.]43.216[.]137
  • 34[.]76.93[.]122
  • 195[.]249.40[.]199


  • Block the threat indicators at their respective controls.
  • Do not click on random ads during web browsing.
  • Have the latest Windows updates installed, programs updated, and web applications upgraded.
  • Use latest secure browsers only.

Data Sheets

Corporate Brochure

Our Story



Managed Security

Upcoming Rewterz Trainings/Events

Rewterz News

  • 17, February 2020 Rewterz Threat Alert – Satan ransomware rebrands as 5ss5c ransomware
  • 20, January 2020 Rewterz Threat Alert – Iranian APT Group “MuddyWater” Resurfaces
  • 20, January 2020 Rewterz Threat Alert – STOP (djvu) Ransomware Actively Spread
  • 20, January 2020 Rewterz Threat Advisory – Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution

Copyright © Rewterz. All rights reserved.