SolidBit Ransomware Group Recruiting New Affiliates on Dark Web

A threat actor group named SolidBit is actively advertising RaaS (Ransom-as-a-Service) and looking to recruit new affiliates on dark web forums.

The news comes from CloudSEK security researchers, who published an advisory about the new threat actors on Thursday.

“The group is actively looking for partners to gain access to companies’ private networks in order to spread the ransomware called SolidBit,” read the document.

In particular, according to a SolidBit post viewed by CloudSEK on an unnamed underground forum, 20% of the earned profit from the distribution of the ransomware will be paid to the affiliate for infecting private servers.

From samples CloudSEK found during its investigation between June and July, the security experts suggested SolidBit may be a copycat of the infamous LockBit ransomware. 

The analysis suggests the malware is executed after downloading some malicious applications. 

“Upon extracting the repository and executing the application, all the files are encrypted with a .solibit extension and the SolidBit ransomware pop-up appears, containing the ransom note.”

A text file called then opens, which describes the basic steps on how to decrypt infected files by paying a ransom.

“The text file contains the decryption ID as well as the login page for the ransomware website,” CloudSEK said. “Upon logging in, the user is directed to the homepage of the ransomware website.”

Once on the website, users are then able to chat with the threat actor (chat with support) or trial the decryption algorithms (only for files less than 1MB).

“The samples did not contain any communication screenshots, however, it is possible that direct communication with the threat actors is possible via the chat system,” says the advisory.

In terms of attribution, CloudSEK found a Twitter post that shared a link to a GitHub repository created by a user named L0veRust, which contained an application used to deliver the ransomware.

To mitigate the impact of the malware, CloudSEK recommended companies to enable tools and applications that prevent malicious programs from being executed, as well as updating and patching infrastructure fulcra such as servers and computer systems.

What’s Hot on Infosecurity Magazine?