|Category: Adversary Intelligence||Industry: Multiple||Motivation: Financial||Region: North America||Source*: A1|
- On 30 June 2022, CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor group named SolidBit, offering RaaS (Ransom-as-a-Service) on an underground forum.
- The group is actively looking for partners to gain access to companies’ private networks in order to spread the ransomware called SolidBit.
- The actor is willing to pay 20% of the cut/ransom to their partners.
- The post also contained sample images of the following:
- GUI of the ransomware on the client side
- Ransom note that the client received
- SolidBit Ransomware is said to be a copycat of LockBit ransomware.
- Upon further investigation, CloudSEK’s Researchers found a malware analyst, who posted a sample of the ransomware on 27 June 2022 and some other samples on 11 July 2022.
- Another post was observed on Twitter, sharing the link to a GitHub repository, created by a user named L0veRust, containing an application used to deliver the ransomware.
- The SolidBit ransomware is executed after downloading some malicious applications.
- A text file called RESTORE~MY-FILES.txt pops open, which describes the basic steps on how to decrypt your infected files by paying the ransom.
- The text file contains the decryption ID as well as the login page for the ransomware website.
- Upon logging in, the user is directed to the homepage of the ransomware website.
- The website provides the following two features:
- Chat with support - possibly to chat with the threat actor(s)
- Trial decryption - to decrypt any file less than 1MB
- The samples did not contain any communication screenshots, however, it is possible that direct communication with the threat actors is possible via the chat system.
- The repository was created by a user named L0veRust.
- Another repository was found cloned with the original repository, by the name Rust_Lover.
- Upon extracting the repository and executing the application, all the files are encrypted with a .solibit extension and the SolidBit ransomware pop-up appears, containing the ransom note.
- The following extensions are employed by the ransomware to stop any scheduled scans and bypass the real-time scanning of multiple folders and files by the Windows Defender:
- The program disables the above file scans by using the following command:
|md /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit;|
- After the application successfully bypasses the windows defender and blocks other applications, the SolidBit popup can be seen and all the files now are encrypted with the extension .SolidBit
- *Intelligence source and information reliability - Wikipedia
- #Traffic Light Protocol - Wikipedia
- SolidBit Ransomware Enters the RaaS Scene and Takes Aim at Gamers and Social Media Users With New Variant (trendmicro.com)