However, in the recent Shadowfall operation, researchers coordinated to take down much of the infrastructure behind RIG.
RIG uses domain shadowing, a technique involving accessing compromised hosting accounts to create hidden subdomains on legitimate websites. Researchers believe that most of these accounts were accessed by phishing login credentials from users of the GoDaddy hosting service.
During the takedown operation, researchers saw upwards of 450 malicious subdomains being created every day, which shows the rapid rate at which the infrastructure behind these campaigns shifts to avoid detection.
Once this step is complete, the exploit kit will download malware such as Trojans and ransomware onto the victim's computer for execution.
Though this operation was successful in removing tens of thousands of shadow domains, it remains to be seen if RIG will still maintain its popularity.
Enabling TSCritical and Drive By targets in policies for ThreatSTOP DNS and IP Firewall Services, protects against exploit kits like the RIG EK. If you do not have a ThreatSTOP account, for a free trial.