RIG EK is one of the less sophisticated EKs due to its use of older exploits. The redirection mechanism from compromised sites or malvertising to RIG is either done server side (302 redirects) or client side (iframe, JavaScript) Different malware campaigns may represent different customers of the exploit kit (which can explain the various malware payloads), or the same individual diversifying his operations for redundancy purposes. One surprise with the samples we collected below is the absence of ransomware, a payload that is usually very prevalent with other exploit kits.”]