SolidBit Ransomware Group Actively Recruiting Affiliates
August 12, 2022
•
4
min read
Category:
Adversary Intelligence
Industry:
Multiple
Motivation:
Financial
Region:
North America
Source*:
A1
Executive Summary
THREAT
IMPACT
MITIGATION
SolidBit ransomware group actively advertising RaaS and looking to recruit new affiliates.
20% of the earned profit will be paid to the affiliate for infecting private servers.
Increased ransomware attacks on companies.
Exposure of sensitive data upon the inability to pay the demanded ransom.
The compromised data could reveal business practices & IP.
Update and patch infrastructure fulcrum including servers, computer systems, etc.
Audit and monitor event and incident logs to identify unusual patterns and behavior.
Analysis and Attribution
Information from the Post
On 30 June 2022, CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor group named SolidBit, offering RaaS (Ransom-as-a-Service) on an underground forum.
The group is actively looking for partners to gain access to companies’ private networks in order to spread the ransomware called SolidBit.
The actor is willing to pay 20% of the cut/ransom to their partners.
The post also contained sample images of the following:
GUI of the ransomware on the client side
Ransom note that the client received
Threat actor looking for affiliates on an underground forum
Information from OSINT
SolidBit Ransomware is said to be a copycat of LockBit ransomware.
Upon further investigation, CloudSEK’s Researchers found a malware analyst, who posted a sample of the ransomware on 27 June 2022 and some other samples on 11 July 2022.
Another post was observed on Twitter, sharing the link to a GitHub repository, created by a user named L0veRust, containing an application used to deliver the ransomware.
Information from the Sample
From the sample, posted by the malware analyst, the following details were uncovered:
The SolidBit ransomware is executed after downloading some malicious applications.
A text file called RESTORE~MY-FILES.txt pops open, which describes the basic steps on how to decrypt your infected files by paying the ransom.
The text file contains the decryption ID as well as the login page for the ransomware website.
Upon logging in, the user is directed to the homepage of the ransomware website.
The website provides the following two features:
Chat with support – possibly to chat with the threat actor(s)
Trial decryption – to decrypt any file less than 1MB
The samples did not contain any communication screenshots, however, it is possible that direct communication with the threat actors is possible via the chat system.
Information from the Twitter Post
The following information was obtained from the GitHub repository shared on Twitter:
The repository was created by a user named L0veRust.
Another repository was found cloned with the original repository, by the name Rust_Lover.
Upon extracting the repository and executing the application, all the files are encrypted with a .solibit extension and the SolidBit ransomware pop-up appears, containing the ransom note.
Code Analysis
The following extensions are employed by the ransomware to stop any scheduled scans and bypass the real-time scanning of multiple folders and files by the Windows Defender:
%UserProfile%
%AppData%,
%Temp%,
%SystemRoot%,
%HomeDrive%,
%SystemDrive%
.exe
.dll
The program disables the above file scans by using the following command:
After the application successfully bypasses the windows defender and blocks other applications, the SolidBit popup can be seen and all the files now are encrypted with the extension .SolidBit
The SolidBit Ransomware UI pops up after encrypting files
Indicators of Compromise (IoCs)
Based on the research of ransomware, these are some of the IoCs: