SolidBit Ransomware Group Actively Recruiting Affiliates

Summary

CloudSEK discovered a threat actor group named SolidBit, offering RaaS (Ransom-as-a-Service) on an underground forum. The group is actively looking for partners to gain access to companies’ private networks in order to spread the ransomware called SolidBit.
Category: Adversary Intelligence Industry: Multiple Motivation: Financial Region: North America Source*: A1

Executive Summary

THREAT IMPACT MITIGATION
  • SolidBit ransomware group actively advertising RaaS and looking to recruit new affiliates.
  • 20% of the earned profit will be paid to the affiliate for infecting private servers.
  • Increased ransomware attacks on companies.
  • Exposure of sensitive data upon the inability to pay the demanded ransom.
  • The compromised data could reveal business practices & IP.
  • Update and patch infrastructure fulcrum including servers, computer systems, etc.
  • Audit and monitor event and incident logs to identify unusual patterns and behavior.

Analysis and Attribution

Information from the Post

  • On 30 June 2022, CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor group named SolidBit, offering RaaS (Ransom-as-a-Service) on an underground forum.
  • The group is actively looking for partners to gain access to companies’ private networks in order to spread the ransomware called SolidBit.
  • The actor is willing to pay 20% of the cut/ransom to their partners.
  • The post also contained sample images of the following:
    • GUI of the ransomware on the client side
    • Ransom note that the client received
Threat actor looking for affiliates on underground forum
Threat actor looking for affiliates on an underground forum
 

Information from OSINT

  • SolidBit Ransomware is said to be a copycat of LockBit ransomware.
  • Upon further investigation, CloudSEK’s Researchers found a malware analyst, who posted a sample of the ransomware on 27 June 2022 and some other samples on 11 July 2022.
  • Another post was observed on Twitter, sharing the link to a GitHub repository, created by a user named L0veRust, containing an application used to deliver the ransomware.

Information from the Sample

From the sample, posted by the malware analyst, the following details were uncovered:
  • The SolidBit ransomware is executed after downloading some malicious applications.
  • A text file called RESTORE~MY-FILES.txt pops open, which describes the basic steps on how to decrypt your infected files by paying the ransom.
  • The text file contains the decryption ID as well as the login page for the ransomware website.
  • Upon logging in, the user is directed to the homepage of the ransomware website.
  • The website provides the following two features:
    • Chat with support - possibly to chat with the threat actor(s)
    • Trial decryption - to decrypt any file less than 1MB
  • The samples did not contain any communication screenshots, however, it is possible that direct communication with the threat actors is possible via the chat system.

Information from the Twitter Post

The following information was obtained from the GitHub repository shared on Twitter:
  • The repository was created by a user named L0veRust.
  • Another repository was found cloned with the original repository, by the name Rust_Lover.
  • Upon extracting the repository and executing the application, all the files are encrypted with a .solibit extension and the SolidBit ransomware pop-up appears, containing the ransom note.

Code Analysis

  • The following extensions are employed by the ransomware to stop any scheduled scans and bypass the real-time scanning of multiple folders and files by the Windows Defender:
    • %UserProfile%
    • %AppData%,
    • %Temp%,
    • %SystemRoot%,
    • %HomeDrive%,
    • %SystemDrive%
    • .exe
    • .dll
  • The program disables the above file scans by using the following command:
md /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit;
  • After the application successfully bypasses the windows defender and blocks other applications, the SolidBit popup can be seen and all the files now are encrypted with the extension .SolidBit
The SolidBit Ransomware UI pops up after encrypting files
The SolidBit Ransomware UI pops up after encrypting files
 

Indicators of Compromise (IoCs)

Based on the research of ransomware, these are some of the IoCs:
MD5
ee04ab5fd2ae9301bb9992922e70128f
SHA-1
69de79431f339d81daba44cf30b945fe67875140
SHA-256
eeb0a884d4eabc4f8811ecaa3e37acc8156c52b60a89537c5498df4c0e0c21f7 EDD16F42DE6B9532EEA970C0F5F646CDD5A0B9C4048B2D3A155953DD5C5F5418
Domains
solidb2jco63vbhx4sfimnqmwhtdjk4jbbgq7a24cmzzkfse4rduxgid.onion.ly
File names
C:\Users\admin\AppData\Roaming\SolidBit.exe C:\Users\admin\Desktop\RESTORE-MY-FILES.txt
C:\Users\admin\AppData\Local\Temp\SolidBit.exe

Impact & Mitigation

Impact Mitigation
  • Financial loss as a result of operations being shut down and/or in ransom.
  • Damage to the company's reputation.
  • If the encrypted system contains critical data which is not backed up, the victim will be left with no option but to pay the ransom.
  • If the ransom is not paid the group could sell the victim’s data on their PR site or on the dark web.
  • The exposed details could reveal business practices and intellectual property.
  • Audit and monitor event and incident logs to identify unusual patterns and behaviors.
  • Enables tools and applications that prevent malicious programs from being executed.
  • Enforce data protection, backup, and recovery measures.
  • Update and patch infrastructure fulcrum such as servers, computer systems, etc.

References

Appendix

Contents of RESTORE-MY-FILES.txt
Contents of RESTORE-MY-FILES.txt
 
All the files being encrypted and having the extension .SolidBit
All the files being encrypted and having the extension .SolidBit
 
Login page for SolidBit ransomware (link provided on the notepad file)
Login page for SolidBit ransomware (link provided on the notepad file)
 
Login page for SolidBit website after logging in with the correct decryption id.
Login page for SolidBit website after logging in with the correct decryption id.
 
SolidBit sample posted by Malware Analyst on Twitter
SolidBit sample posted by Malware Analyst on Twitter
 
Malicious application on Github containing SolidBit ransomware.
Malicious application on Github containing SolidBit ransomware.
 

Table of Contents

Request an easy and customized demo for free