[MART] - Daily Diary #566 - SolidBit Ransomware

ctas-mat at appgate.com ctas-mat at appgate.com
Wed Aug 3 21:59:56 UTC 2022


I hope everyone is doing well!

Below is the entry for today.

08/03/2022 - Diary entry #566:

Today, a new Ransomware variant was disclosed. Named SolidBit, it operates in the RaaS (Ransomware As A Service) business and it is advertised in hacking forums to search for affiliates – taking 20% of the profits.

SolidBit is disseminated via fake executable applications uploaded to GitHub, such as an Account checker tool for the popular game League of Legends, as well as “Social Hacker” or “Instagram Follower Bot“ – both applications posing as social media tools. All the executable files are obfuscated and protected to make reverse engineering and analysis more difficult.

Once executed, it executes some PowerShell commands that drop and execute the SolidBit ransomware. It also disables Windows Defender’s scheduled scans and any real-time scanning for some folders and file extensions.

To encrypt the files, SolidBit uses the 256-bit Advanced Encryption Standard (AES) encryption along with a hardcoded RSA key (appended in the encrypted files). Finally, it renames the files by appending the “.SolidBit“ file extension. Additionally, SolidBit terminates multiple services and deletes shadow copies.

The ransom note dropped by SolidBit, as well as its chat support site, has similarities with LockBit, suggesting that they are an imitator of LockBit’s operation. Moreover, SolidBit’s code is based on another .NET ransomware known as Yashma or Chaos ransomware, suggesting that SolidBit is a rebranding.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Tarijon de Almeida
Malware Analyst

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220803/a25badcc/attachment.htm>

More information about the MART mailing list