{
	"id": "f2fda64b-a4de-4021-9155-ab7af9d881c2",
	"created_at": "2026-04-06T00:21:28.759548Z",
	"updated_at": "2026-04-10T13:12:53.578749Z",
	"deleted_at": null,
	"sha1_hash": "f448f0b4f308a6bd2bab01c9d768a675ba537936",
	"title": "SolidBit Ransomware Enters the RaaS Scene and Takes Aim at Gamers and Social Media Users With New Variant",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2413078,
	"plain_text": "SolidBit Ransomware Enters the RaaS Scene and Takes Aim at\r\nGamers and Social Media Users With New Variant\r\nPublished: 2022-08-02 · Archived: 2026-04-05 16:42:18 UTC\r\nThis blog entry offers a technical analysis of a new SolidBit variant that is posing as different applications to lure\r\ngamers and social media users. The SolidBit ransomware group appears to be planning to expand its operations\r\nthrough these fraudulent apps and its recruitment of ransomware-as-a-service affiliates.\r\nBy: Nathaniel Morales, Ivan Nicole Chavez, Monte de Jesus, Lala Manly, Nathaniel Gregory Ragasa Aug 02,\r\n2022 Read time: 6 min (1650 words)\r\nTrend Micro researchers recently analyzed a sample of a new SolidBit ransomwareopen on a new tab variant that\r\ntargets users of popular video games and social media platforms. The malware was uploaded to GitHub, where it\r\nis disguised as different applications, including a League of Legends account checker tool (Figure 1) and an\r\nInstagram follower bot, to lure in victims.  \r\nThe League of Legends account checker on GitHub (Figures 2 and 3) is bundled with a file that\r\ncontains instructions on how to use the tool (Figure 4), but that is the extent of the pretense: It has no graphic user\r\ninterface (GUI) or any other behavior related to its supposed function. When an unsuspecting victim runs the\r\napplication, it automatically executes malicious PowerShell codes that drop the ransomware. Another file that\r\ncomes with the ransomware is named “Source code,” but this seems to be different from the compiled binary. \r\nFigure 1. The icon of one of the malicious applications, named \"Rust LoL Accounts Checker\"\r\nhttps://www.trendmicro.com/en_us/research/22/h/solidbit-ransomware-enters-the-raas-scene-and-takes-aim-at-gamer.html\r\nPage 1 of 14\n\nFigure 2. The SolidBit ransomware variant masquerading as a League of Legends account checker\r\ntool on GitHub\r\nFigure 3. Details about the fraudulent League of Legends account checker posted on Github\r\nFigure 4. One of the files bundled with SolidBit’s fraudulent League of Legends account checker on\r\nGitHub  \r\nhttps://www.trendmicro.com/en_us/research/22/h/solidbit-ransomware-enters-the-raas-scene-and-takes-aim-at-gamer.html\r\nPage 2 of 14\n\nAmong the files bundled with the account checker, we also found an executable file named Rust LoL Accounts\r\nChecker.exe (Figure 5) protected by Safengine Shielden, which obfuscates samples and applications to make\r\nreverse engineering and analysis more difficult. When this file is executed, an error window appears and claims\r\nthat debugging tools have been detected (Figure 6), which may be one of the malware’s anti-virtualization and\r\nanti-debugging capabilities. \r\nFigure 5. File properties of Rust LoL Accounts Checker.exe found using Detect It Easy\r\nFigure 6. A pop-up window that appears when Rust LoL Accounts Checker.exe is executed\r\nIf users click on this executable file, it will drop and execute Lol Checker x64.exe, which runs the malicious\r\nPowerShell codes that drop and execute the SolidBit ransomware. After pivoting the binary file in VirusTotal and\r\nAnyRun, we found that Rust LoL Accounts Checker.exe downloads and executes Lol Checker x64.exe using the\r\nfollowing command:  \r\ncmd /c start  \"\" %TEMP%\\LoL Checker x64.exe\r\nhttps://www.trendmicro.com/en_us/research/22/h/solidbit-ransomware-enters-the-raas-scene-and-takes-aim-at-gamer.html\r\nPage 3 of 14\n\nWhen Lol Checker x64.exe is executed, it will begin disabling Windows Defender’s scheduled scans and any real-time scanning of the following folders and file extensions: \r\n%UserProfile%,  \r\n%AppData%,  \r\n%Temp%,  \r\n%SystemRoot%,  \r\n%HomeDrive%,  \r\n%SystemDrive%   \r\n.exe  \r\n.dll  \r\nThe file disables these scans by using the following PowerShell command: \r\ncmd /c powershell -Command \"Add-MpPreference -ExclusionPath\r\n@($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force\" \u0026\r\npowershell -Command \"Add-MpPreference -ExclusionExtension @('exe','dll') -Force\" \u0026 exit; \r\nAfter successfully disabling Windows Defender from scanning these directories, the file will drop and execute the\r\nfile Runtime64.exe, which we analyzed as the SolidBit ransomware, using the following command prompt:\r\ncmd /c start  \"\" %TEMP%\\Runtime64.exe\r\nRansomware analysis of SolidBit’s new variant \r\nThis new version of SolidBit ransomware is a .NET compiled binary (Figure 7). After opening Runtime64.exe\r\nusing the debugger and .NET assembly editor DnSpy, we found that this file was obfuscated. We used a .NET\r\ndeobfuscator and unpacker tool called de4dot to make the strings readable (Figure 8).  \r\nFigure 7. Properties of the binary using Detect It Easy Tool\r\nhttps://www.trendmicro.com/en_us/research/22/h/solidbit-ransomware-enters-the-raas-scene-and-takes-aim-at-gamer.html\r\nPage 4 of 14\n\nFigure 8. A comparison of the file before (left) and after (right) it was deobfuscated using de4dot\r\nThe ransomware creates a mutex and will terminate if another copy of itself is found already running on the\r\nmachine (Figure 9).  \r\nFigure 9. The mutex created by SolidBit ransomware\r\nIt will also create a registry key to a directory named “Software\\Microsoft\\Windows\\CurrentVersion\\Run” with the\r\nvalue “UpdateTask” as its autostart mechanism (Figure 10).  \r\nFigure 10. The registry key for SolidBit’s autostart mechanism\r\nPrior to encryption, the ransomware will check if the directory is in the root path and avoids the following files\r\nand directories, as shown in Figure 11: \r\n\\\\ProgramData  \r\n$Recycle.Bin  \r\nAMD  \r\nappdata\\\\local  \r\nappdata\\\\locallow  \r\nautorun.inf  \r\nboot.ini  \r\nboot.ini  \r\nbootfont.bin  \r\nhttps://www.trendmicro.com/en_us/research/22/h/solidbit-ransomware-enters-the-raas-scene-and-takes-aim-at-gamer.html\r\nPage 5 of 14\n\nbootmgfw.efi  \r\nbootsect.bak  \r\ndesktop.ini  \r\nDocuments and Settings  \r\niconcache.db  \r\nIntel  \r\nMSOCache  \r\nntuser.dat  \r\nntuser.dat.log  \r\nntuser.ini  \r\nNVIDIA  \r\nPerfLogs  \r\nProgramData  \r\nProgram Files  \r\nProgram Files (x86)  \r\nthumbs.db  \r\nusers\\\\all users  \r\nWindows  \r\nWindows.old  \r\nFigure 11. SolidBit ransomware checking for files to be avoided\r\nhttps://www.trendmicro.com/en_us/research/22/h/solidbit-ransomware-enters-the-raas-scene-and-takes-aim-at-gamer.html\r\nPage 6 of 14\n\nThis SolidBit variant uses 256-bit Advanced Encryption Standard (AES) encryption to encrypt the files in its\r\nvictim’s computer (Figure 12). A key that is appended in the encrypted files’ content (Figure 13) will act as\r\nSolidBit’s infection marker. The key came from a hard-coded string from the binary that was encrypted via Rivest-Shamir-Adleman (RSA) encryption and was encoded to Base 64. The ransomware will also append the .SolidBit\r\nfile extension to the encrypted files and changes their file icons (Figure 14).  Its encryption routine only encrypts\r\nfiles with specific file extensions.  \r\nFigure 12. SolidBit ransomware’s encryption routine\r\nFigure 13. The encrypted content of the file\r\nhttps://www.trendmicro.com/en_us/research/22/h/solidbit-ransomware-enters-the-raas-scene-and-takes-aim-at-gamer.html\r\nPage 7 of 14\n\nFigure 14. A file encrypted by SolidBit ransomware\r\nThis SolidBit variant will also terminate multiple services, delete any shadow copies (Figure 15) and backup\r\ncatalogs (Figure 16), and delete 42 services in the victim’s computer.  \r\nFigure 15. SolidBit’s deletion of shadow copies\r\nFigure 16. SolidBit’s deletion of the backup catalog\r\nIt will also drop a file, RESTORE-MY-FILES.txt, that contains instructions on how a victim can pay the ransom to\r\nevery directory (Figure 17) and shows a pop-up window on the victim’s machine (Figure 18).  \r\nFigure 17. Dropped ransom note by SolidBit ransomware\r\nhttps://www.trendmicro.com/en_us/research/22/h/solidbit-ransomware-enters-the-raas-scene-and-takes-aim-at-gamer.html\r\nPage 8 of 14\n\nFigure 18. The pop-up window that SolidBit ransomware shows on the victim’s screen\r\nSolidBit as a LockBit imitator  \r\nSolidBit has been suspected of being a LockBit ransomwareopen on a new tab copycat, as the two share\r\nsimilarities in their chat support sites’ formatting (Figure 19) and the file names of their ransom note (Figure 20).   \r\nFigure 19. Similarities between the chat support sites of LockBit (left) and SolidBit (right)\r\nhttps://www.trendmicro.com/en_us/research/22/h/solidbit-ransomware-enters-the-raas-scene-and-takes-aim-at-gamer.html\r\nPage 9 of 14\n\nFigure 20. The ransom notes of LockBit (left) and SolidBit (right)\r\nFigure 21. The functions of SolidBit ransomware (left) and Yashma ransomware (right)\r\nhttps://www.trendmicro.com/en_us/research/22/h/solidbit-ransomware-enters-the-raas-scene-and-takes-aim-at-gamer.html\r\nPage 10 of 14\n\nFigure 22. SolidBit ransomware (left) and Yashma ransomware (right) checks files in a targeted\r\nsystem’s directories\r\nThe new SolidBit sample is larger than its predecessors at 5.56 MB, compared to the 159 KB of earlier SolidBit\r\nvariants. Its use of a fake League of Legends Account Checker application to drop its ransomware payload is a\r\nnew technique in its arsenal.   \r\nSolidBit posing as social media tools \r\nIn addition to the fraudulent League of Legends account checker application, the aforementioned GitHub account\r\nhas uploaded this new SolidBit variant disguised as other legitimate applications named “Social Hacker” (Figure\r\n23) and “Instagram Follower Bot” (Figure 24). However, the account has been taken down at the time of this\r\nwriting.  \r\nFigure 23. File properties of the new SolidBit ransomware variant disguised as an application\r\nnamed Social Hacker\r\nhttps://www.trendmicro.com/en_us/research/22/h/solidbit-ransomware-enters-the-raas-scene-and-takes-aim-at-gamer.html\r\nPage 11 of 14\n\nFigure 24. File properties of the new SolidBit ransomware variant disguised as an application called\r\nInstagram Follower Bot\r\nBoth these malicious applications display an error message when executed on a virtual machine (Figure 25). They\r\nexhibit the same behavior as the fake League of Legends account checker, wherein they drop and execute an\r\nexecutable that will, in turn, drop and execute the SolidBit ransomware payload (Figure 26). \r\nhttps://www.trendmicro.com/en_us/research/22/h/solidbit-ransomware-enters-the-raas-scene-and-takes-aim-at-gamer.html\r\nPage 12 of 14\n\nFigure 25. The error message shown when the Social Hacker and Instagram Follower Bot\r\napplications are run on a virtual machine\r\nFigure 26. The execution flow of the three malicious applications that contain the new SolidBit\r\nvariant\r\nSolidBit as ransomware-as-a-service  \r\nThe malicious actors behind SolidBit aren’t just turning to malicious apps as a means of spreading the\r\nransomware. A researcheropen on a new tab found that the SolidBit ransomware group also posted a job\r\nadvertisement on an underground forum on June 29 to recruit potential affiliates for their ransomware-as-a-service\r\n(RaaS)open on a new tab activities. These affiliates, who are tasked with penetrating a victim’s system and\r\ndistributing SolidBit, stand to gain 80% of the ransomware payout as a commission. \r\nFending off ransomware attacks \r\nThe malware authors behind SolidBit ransomware appear to be gearing up to expand their operations through\r\nrecruiting ransomware-as-a-service partners who will facilitate a wider scale of infection, on top of the distribution\r\napproach of their newly found variant. The large commission percentage that SolidBit’s authors offer is likely to\r\nattract other opportunistic threat actors, so we anticipate more activity from this ransomware group in the near\r\nfuture.  \r\nWhile it is not new for ransomware to disguise itself as a legitimate program or a tool as a social engineering\r\nlure, SolidBit’s new variant targets games and applications with a large user base. This allows SolidBit’s\r\nransomware actors to cast a wide net of potential victims, and users who are may not be well-versed in security\r\nhygiene, such as children or teenagers, could fall victim to fraudulent applications and tools, as was the case in\r\nprevious Minecraft and Roblox malware infectionsopen on a new tab.  \r\nEnd users and organizations alike can mitigate the risk of ransomware infection by following these security best\r\npractices:  \r\nEnable multifactor authentication (MFA) to prevent attackers from performing lateral movement inside a\r\nnetwork. \r\nAdhere to the 3-2-1 ruleopen on a new tab when backing up important files. This involves creating three\r\nbackup copies on two different file formats, with one of the copies stored in a separate location.  \r\nPatch and update systems regularlyopen on a new tab. It’s important to keep one’s operating system and\r\napplications up to date, which will prevent malicious actors from exploiting any software vulnerabilities.\r\nhttps://www.trendmicro.com/en_us/research/22/h/solidbit-ransomware-enters-the-raas-scene-and-takes-aim-at-gamer.html\r\nPage 13 of 14\n\nOrganizations can also benefit from security solutions that offer multilayered detection and response such as Trend\r\nMicro Vision One™open on a new tab, which has multilayered protection and behavior detection capabilities that\r\nhelp block suspicious behavior and tools before ransomware can do any damage. Trend Micro Apex One™open\r\non a new tab also provides next-level automated threat detection and response to protect endpoints against\r\nadvanced issues, like fileless threats and ransomware. \r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/22/h/solidbit-ransomware-enters-the-raas-scene-and-takes-aim-at-gamer.html\r\nhttps://www.trendmicro.com/en_us/research/22/h/solidbit-ransomware-enters-the-raas-scene-and-takes-aim-at-gamer.html\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/22/h/solidbit-ransomware-enters-the-raas-scene-and-takes-aim-at-gamer.html"
	],
	"report_names": [
		"solidbit-ransomware-enters-the-raas-scene-and-takes-aim-at-gamer.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434888,
	"ts_updated_at": 1775826773,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f448f0b4f308a6bd2bab01c9d768a675ba537936.pdf",
		"text": "https://archive.orkl.eu/f448f0b4f308a6bd2bab01c9d768a675ba537936.txt",
		"img": "https://archive.orkl.eu/f448f0b4f308a6bd2bab01c9d768a675ba537936.jpg"
	}
}