SolidBit Ransomware Detection: Novel Variant Targets Users of Popular Video Games and Social Media Platforms

Ransomware attacks have become a constantly growing trend in the cyber threat arena since 2020, which continues to be on the rise in 2021-2022. Cybersecurity researchers have recently uncovered a new SolidBit ransomware variant, which targets gamers and social media users. The novel malware strain is spotted in the wild, being uploaded to GitHub and disguised as popular applications luring potential victims into running them. Once launched, the lure files run malicious PowerShell code that deploys ransomware at targeted devices. 

Detect New SolidBit Ransomware Variant

With escalating volumes of sophisticated ransomware attacks and expanding scope of ransomware-as-a-service (RaaS) activities, cyber defenders are in search of innovative ways to strengthen their organization’s cybersecurity posture. SOC Prime’s Detection as Code platform has recently released a set of curated Sigma rules to detect the SolidBit ransomware crafted by our keen Threat Bounty Program developers, Furkan Celik and Osman Demir. Registered SOC Prime users can gain access to the dedicated threat hunting queries by following the link below:

Sigma rules to detect SolidBit ransomware

Both detections are compatible with the industry-leading SIEM, EDR, and XDR solutions supported by SOC Prime’s platform and are aligned with the MITRE ATT&CK framework addressing the Impact tactic with the corresponding Data Encrypted for Impact (T1486) technique. In addition, the dedicated Sigma rule by Furkan Celik also addresses the Execution ATT&CK tactic represented by the User Execution (T1204) technique.

Skilled cybersecurity practitioners striving to enrich their Detection Engineering and Threat Hunting Expertise skills can join the ranks of our Threat Bounty Program to make their own contribution to collective industry expertise. Participation in the Program enables detection content authors to monetize their professional skills while helping build a safer digital future. 

To keep abreast of rapidly evolving ransomware attacks, security teams can leverage the entire collection of relevant Sigma rules available in SOC Prime’s platform by clicking the Detect & Hunt button below. For streamlined threat investigation, non-registered SOC Prime users can also gain from our Cyber Threats Search Engine and explore the comprehensive contextual information related to ransomware, including MITRE ATT&CK and CTI references and more relevant metadata by clicking Explore Threat Context button below.

Detect & Hunt Explore Threat Context

SolidBit Description

SolidBit ransomware, a relatively novel player in the cyber threat arena, is an offspring of the infamous Yashma/Chaos ransomware. Security researchers believe that SolidBit maintainers work closely with Yashma developers to enhance some features of Chaos builder and then go to the underground market, branding it as SolidBit.

The most recent modification, promoted as SolidBit variant 3.0, is compiled with .NET, and according to the inquiry by Trend Micro, leverages an unusual attack kill chain to reach massive infections. Notably, SolidBit ransomware operators have pushed the malicious payload to GitHub, masquerading the threat within gaming tools and social media bots. 

The latest campaign spreads a fake League of Legends account checker tool and Instagram follower bot. In case a victim downloads the app from GitHub and runs it, the malicious application promptly executes a PowerShell code that eventually drops the SolidBit payload. Prior to encryption, the ransomware applies a set of debugging and obfuscation tricks alongside terminating services and deleting shadow copies to fly under the radar. 

Apart from the enhancements to the main functionality, SolidBit maintainers strive to expand their malicious network by applying the RaaS model. Notably, on June 30, 2022, security researchers spotted job advertisements on underground forums to engage new SolidBit RaaS affiliates. 

The new tactics point to the increasing sophistication of the SolidBit strain, which is a common trend in the ransomware arena. As attacks grow in scope and scale, security researchers require innovative tools to detect emerging threats and stay one step ahead of attackers. Join SOC Prime’s Detection as Code platform to spot the latest attacks with the world’s largest collection of Sigma rules, improve the log source and MITRE ATT&CK coverage, and actively contribute to boosting your organization’s cyber defense capabilities. Seasoned Threat Hunters and Detection Engineers are more than welcome to join Threat Bounty Program – SOC Prime’s crowdsourcing initiative, to share their detection algorithms with the cybersecurity community, contribute to collaborative cyber defense, and gain repeated payouts for their input.