In 2022, the emergence of HardBit Ransomware version 4.0 marked a significant shift in the tactics employed by ransomware groups. Unlike traditional ransomware groups, HardBit does not utilize leak sites or engage in double extortion schemes. Instead, their approach involves data theft, encryption, and ransom demands coupled with threats of additional attacks.
Cybersecurity experts at Cybereason have identified that HardBit ransomware is actively using Passphrase protection as a means to evade security measures. The group communicates through TOX, a peer-to-peer messaging system. While the initial infection method remains unknown, researchers have noted similarities between HardBit and LockBit Ransomware.
The tactics, techniques, and procedures (TTPs) observed in HardBit’s operations include brute-forcing RDP and SMB, credential theft using tools like Mimikatz NLBrute, and potential use of LaZagne NirSoft tools. Moreover, the threat actors have been known to download programs from picofile[.]com, a Farsi file-sharing site.
To navigate networks, the attackers utilize network discovery tools such as Advanced Port Scanner and KPortScan 3.0. They deploy the HardBit ransomware along with the Neshta virus, which corrupts files and helps maintain the infection for an extended period.
A distinguishing feature of HardBit ransomware is the requirement of an authorization ID and encryption key for file decryption. The ransomware also disables Windows Defender, terminates services, and hinders system recovery using tools like BCDEdit, Vssadmin, WBAdmin, and WMIC prior to encrypting files.
The ransomware employs a complex binary unpacking process that involves file infection and system manipulation to ensure successful execution and prevent recovery. Furthermore, HardBit selectively encrypts files, updates infected machines, and leverages encrypted email contacts. The ransomware is disguised using Ryan-_-Borland_Protector Cracked v1.0, a modified ConfuserEx.
The GUI version of HardBit offers both ransom and wiper modes, with wiper mode requiring additional authorization through the configuration file hard.txt. The evolution of HardBit through versions 2.0, 3.0, and 4.0 demonstrates an increasing level of sophistication in functionality and obfuscation techniques.
In light of these developments, cybersecurity experts have provided recommendations to mitigate the risk posed by HardBit ransomware. These recommendations include enabling Application Control to block malicious file execution, activating Predictive Ransomware Protection, enabling Anti-Ransomware if Predictive Ransomware Protection is unavailable, and implementing Variant Payload Prevention with Prevent mode on security solutions.
As ransomware attacks continue to evolve and pose a growing threat to organizations and individuals alike, implementing these security measures can help enhance defenses against the likes of HardBit ransomware. Organizations are advised to stay vigilant and adopt proactive cybersecurity strategies to safeguard their digital assets and data from malicious actors.