Group promises 20% of profit from ransomware distribution to affiliate that infects private servers, according to Security researchers
A hacking group called SolidBit is advertising the commercialization of its RaaS (ransomware-as-a-service) and looking to recruit new affiliates on dark web forums. The news comes from security researchers at CloudSEK, who published a statement on new threat operators on Thursday of last week. “The group is actively looking for partners to gain access to companies’ private networks to spread the so-called ransomware. SolidBit,” the note reads.
According to a SolidBit post seen by CloudSEK on an unnamed underground forum, 20% of the profit made from distributing the ransomware will be paid to the affiliate who infects private servers. From samples that the company found during the investigation between June and July, security experts suggested that SolidBit might be a copy of LockBit ransomware.
Analysis suggests that the malware runs after downloading some malicious apps. “When extracting the repository and running the application, all files are encrypted with a .solibit extension and the SolidBit ransomware pop-up appears, containing the ransom note.” A text file is then opened which describes the basic steps on how to decrypt infected files by paying a ransom.
“The text file contains the decryption ID as well as the login page of the ransomware website,” said CloudSEK. “Upon logging in, the user is directed to the homepage of the ransomware website.” Once on the site, users can chat with the threat operator (chat with support) or test decryption algorithms (only for files under 1MB).
“The samples did not contain screenshots of communication, however, it is possible that direct communication with threat actors is possible via the chat system,” the statement reads.
In terms of attribution, CloudSEK found a Twitter post that shared a link to a GitHub repository created by a user named L0veRust, which contained an application used to deliver the ransomware.
To mitigate the impact of malware, CloudSEK recommends that companies enable tools and applications that prevent malicious programs from running, as well as update and patch critical infrastructure such as servers and computer systems.
Source: CisoAdvisor