League of Legends players targeted with file-locking malware


Attackers use a modified version of SolidBit ransomware to victimize fans of a popular online game League of Legends, and Instagram users, researchers claim.

Threat actors have modified SolidBit ransomware to focus their sights on gamers and social media users. Researchers at cybersecurity firm Trend Micro discovered the SolidBit variant disguised as a League of Legends account checker tool.

Malware operators uploaded the malicious application on GitHub. The fake League of Legends account checker tool includes SolidBit malware and an instructions file supposedly providing a guide on how to use the tool.

Once the victim executes the tool, it runs PowerShell and deploys the malware on the victim’s computer. Once on the device, the malicious software will start scanning the device and disable Windows Defender’s scheduled scans to avoid detection.

ADVERTISEMENT
League of Legends players targeted with ransomware
Details about the fraudulent League of Legends account checker posted on Github. Image by Trend Micro.

After the task is completed, SolidBit ransomware is executed leading to file encryption. In the process, shadow copies, backup logs, and dozens of services are deleted from the victim’s computer. Once the process is completed, the victim receives a ransom note with instructions on how to decrypt the data.

According to the researchers, other modified versions of SolidBit were uploaded on GitHub with titles like ‘Social Hacker’ and ‘Instagram Follower Bot.’ Both are similar to the fake League of Legends tool. However, the GitHub account was terminated before the research was published.

“The SolidBit ransomware group appears to be planning to expand its operations through these fraudulent apps and its recruitment of ransomware-as-a-service affiliates,” researchers claim.

Steady growth

Researchers believe that SolidBit imitates the successful LockBit ransomware gang. For example, Trend Micro claims that both groups have similar support sites and the file names of their ransom notes.

However, technically SolidBit is based on the Yashma ransomware family. The group is likely only firing up its affiliate program as SolidBit was noted to post job ads for its ransomware-as-as-service (RaaS) scheme.

The number of ransomware attacks grew last quarter compared to the beginning of the year. Digital Shadows counted 705 victims, 21% more than over previous months. Ivan Righi, a Senior Cyber Threat Intelligence Analyst at Digital Shadows, thinks we’ll only see more attacks as the year progresses.

ADVERTISEMENT

“[…] activity is likely to continue increasing until the end of the year. The rise in activity was primarily attributed to smaller ransomware groups having a higher activity level than usual, which is another trend likely to continue due to the recent closure of some large ransomware groups,” Righi said.

Threat actors primarily focused on the industrial goods and services sector, followed by the technology as well as construction and materials sectors. Companies in the United States continue to be the primary focus of ransomware gangs, with around 39% of total victims in the US.