| Category:
Adversary Intelligence |
Industry:
Multiple |
Motivation:
Financial |
Region:
North America |
Source*:
A1 |
Executive Summary
| THREAT |
IMPACT |
MITIGATION |
- SolidBit ransomware group actively advertising RaaS and looking to recruit new affiliates.
- 20% of the earned profit will be paid to the affiliate for infecting private servers.
|
- Increased ransomware attacks on companies.
- Exposure of sensitive data upon the inability to pay the demanded ransom.
- The compromised data could reveal business practices & IP.
|
- Update and patch infrastructure fulcrum including servers, computer systems, etc.
- Audit and monitor event and incident logs to identify unusual patterns and behavior.
|
Analysis and Attribution
Information from the Post
- On 30 June 2022, CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor group named SolidBit, offering RaaS (Ransom-as-a-Service) on an underground forum.
- The group is actively looking for partners to gain access to companies’ private networks in order to spread the ransomware called SolidBit.
- The actor is willing to pay 20% of the cut/ransom to their partners.
- The post also contained sample images of the following:
- GUI of the ransomware on the client side
- Ransom note that the client received
[caption id="attachment_20323" align="aligncenter" width="1435"]
Threat actor looking for affiliates on an underground forum[/caption]
Information from OSINT
- SolidBit Ransomware is said to be a copycat of LockBit ransomware.
- Upon further investigation, CloudSEK’s Researchers found a malware analyst, who posted a sample of the ransomware on 27 June 2022 and some other samples on 11 July 2022.
- Another post was observed on Twitter, sharing the link to a GitHub repository, created by a user named L0veRust, containing an application used to deliver the ransomware.
Information from the Sample
From the sample, posted by the malware analyst, the following details were uncovered:
- The SolidBit ransomware is executed after downloading some malicious applications.
- A text file called RESTORE~MY-FILES.txt pops open, which describes the basic steps on how to decrypt your infected files by paying the ransom.
- The text file contains the decryption ID as well as the login page for the ransomware website.
- Upon logging in, the user is directed to the homepage of the ransomware website.
- The website provides the following two features:
- Chat with support - possibly to chat with the threat actor(s)
- Trial decryption - to decrypt any file less than 1MB
- The samples did not contain any communication screenshots, however, it is possible that direct communication with the threat actors is possible via the chat system.
Information from the Twitter Post
The following information was obtained from the GitHub repository shared on Twitter:
- The repository was created by a user named L0veRust.
- Another repository was found cloned with the original repository, by the name Rust_Lover.
- Upon extracting the repository and executing the application, all the files are encrypted with a .solibit extension and the SolidBit ransomware pop-up appears, containing the ransom note.
Code Analysis
- The following extensions are employed by the ransomware to stop any scheduled scans and bypass the real-time scanning of multiple folders and files by the Windows Defender:
- %UserProfile%
- %AppData%,
- %Temp%,
- %SystemRoot%,
- %HomeDrive%,
- %SystemDrive%
- .exe
- .dll
- The program disables the above file scans by using the following command:
| md /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit; |
- After the application successfully bypasses the windows defender and blocks other applications, the SolidBit popup can be seen and all the files now are encrypted with the extension .SolidBit
[caption id="attachment_20324" align="aligncenter" width="1146"]
The SolidBit Ransomware UI pops up after encrypting files[/caption]
Indicators of Compromise (IoCs)
Based on the research of ransomware, these are some of the IoCs:
| MD5 |
| ee04ab5fd2ae9301bb9992922e70128f |
| SHA-1 |
| 69de79431f339d81daba44cf30b945fe67875140 |
| SHA-256 |
| eeb0a884d4eabc4f8811ecaa3e37acc8156c52b60a89537c5498df4c0e0c21f7 |
EDD16F42DE6B9532EEA970C0F5F646CDD5A0B9C4048B2D3A155953DD5C5F5418 |
| Domains |
| solidb2jco63vbhx4sfimnqmwhtdjk4jbbgq7a24cmzzkfse4rduxgid.onion.ly |
| File names |
| C:\Users\admin\AppData\Roaming\SolidBit.exe |
C:\Users\admin\Desktop\RESTORE-MY-FILES.txt |
| C:\Users\admin\AppData\Local\Temp\SolidBit.exe |
|
|
|
Impact & Mitigation
| Impact |
Mitigation |
- Financial loss as a result of operations being shut down and/or in ransom.
- Damage to the company's reputation.
- If the encrypted system contains critical data which is not backed up, the victim will be left with no option but to pay the ransom.
- If the ransom is not paid the group could sell the victim’s data on their PR site or on the dark web.
- The exposed details could reveal business practices and intellectual property.
|
- Audit and monitor event and incident logs to identify unusual patterns and behaviors.
- Enables tools and applications that prevent malicious programs from being executed.
- Enforce data protection, backup, and recovery measures.
- Update and patch infrastructure fulcrum such as servers, computer systems, etc.
|
References
Appendix
[caption id="attachment_20325" align="alignnone" width="1278"]
Contents of RESTORE-MY-FILES.txt[/caption]
[caption id="attachment_20326" align="alignnone" width="583"]
All the files being encrypted and having the extension .SolidBit[/caption]
[caption id="attachment_20327" align="alignnone" width="888"]
Login page for SolidBit ransomware (link provided on the notepad file)[/caption]
[caption id="attachment_20328" align="alignnone" width="717"]
Login page for SolidBit website after logging in with the correct decryption id.[/caption]
[caption id="attachment_20329" align="aligncenter" width="958"]
SolidBit sample posted by Malware Analyst on Twitter[/caption]
[caption id="attachment_20330" align="aligncenter" width="883"]
Malicious application on Github containing SolidBit ransomware.[/caption]
