New SolidBit Ransomware Variant Targets Gamers and Social Media Users

How does it propagate?

• Trend Micro researchers found that the new SolidBit variant is uploaded to GitHub and spreads masquerading as different applications to lure victims.
• Some of the targeted applications include popular video games such as the League of Legends account checker tool. It also mimics an Instagram follower bot to infect users.
• When an unsuspecting user runs the application, it automatically executes malicious PowerShell codes that drop the ransomware. Another file that comes with the ransomware is named ‘Source code’ but this seems to be different from the compiled binary. 

What are the features?

• This version is a .NET compiled binary. Prior to encryption, the ransomware checks for specific files and directories and avoids them if found in the victims’ systems. 
• It uses the 256-bit AES algorithm for encryption. The ransomware appends the .SolidBit file extension to the encrypted files and changes their file icons. 
• The SolidBit variant also terminates 42 services and deletes shadow copies and backup catalogs during the infection process.

Worth noting 

• There is confusion that SolidBit shares similarities with LockBit ransomware. The conclusion was drawn based on the formatting style of chat support sites and the file names of the ransom notes.
• However, Trend Micro researchers claim that the ransomware is actually a copycat of Yashma/Chaos ransomware. It's possible that SolidBit’s operators are currently working with the original developer of Yashma ransomware and likely modified some features from the Chaos builder, later rebranding it as SolidBit.

SolidBit as RaaS

The bottom line