Cybersecurity experts have uncovered a new iteration of the HardBit ransomware, labeled version 4.0, which introduces advanced obfuscation techniques to thwart analysis.
“Unlike its predecessors, HardBit Ransomware group has fortified version 4.0 with passphrase protection,” noted Cybereason researchers Kotaro Ogino and Koshi Oyama in their analysis.
“Execution of the ransomware now necessitates a passphrase during runtime, complicating the task of security analysts in dissecting the malware.”
HardBit, which first surfaced in October 2022, operates as a financially driven threat actor, akin to other ransomware groups, aiming to extort victims through double extortion strategies.
What sets this group apart is their absence of a data leak site; instead, they pressure victims to pay by threatening future attacks. Communication primarily occurs via the Tox instant messaging service.
The exact method used to gain initial access to target environments remains unclear, though it likely involves brute-forcing RDP and SMB services.
Subsequent steps include credential theft using tools like Mimikatz and NLBrute, along with network reconnaissance via utilities such as Advanced Port Scanner, enabling lateral movement across the network through RDP.
“Upon compromising a host, the HardBit ransomware payload executes a series of actions to diminish the host’s security posture before encrypting data,” Varonis detailed in their technical write-up about HardBit 2.0 last year.
The encryption process utilizes HardBit, which is distributed via a known file infector virus called Neshta. Notably, Neshta has been previously employed by cybercriminals to disseminate Big Head ransomware.
HardBit is also designed to disable Microsoft Defender Antivirus and terminate processes and services to avoid detection and prevent system recovery. It then encrypts pertinent files, updates their icons, modifies desktop wallpaper, and changes the system’s volume label to “Locked by HardBit.”
Offered in both command-line and GUI versions, the ransomware requires an authorization ID for execution. The GUI version additionally supports a wiper mode to irreversibly delete files and wipe the disk.
“Once threat actors input the decoded authorization ID, HardBit prompts for an encryption key to proceed with file encryption,” Cybereason noted.
“The wiper mode must be enabled by the HardBit Ransomware group and appears to be an optional feature that operators can purchase. If needed, operators must deploy hard.txt, a configuration file containing the authorization ID to activate wiper mode.”
This development coincides with a report from cybersecurity firm Trellix, which detailed a CACTUS ransomware attack exploiting security flaws in Ivanti Sentry (CVE-2023-38035) to install the malware using legitimate remote desktop tools like AnyDesk and Splashtop.
Ransomware activity continues to trend upward in 2024, with ransomware groups claiming 962 attacks in the first quarter, up from 886 the previous year. LockBit, Akira, and BlackSuit have emerged as the most prevalent ransomware families during this period, according to Symantec.
Palo Alto Networks’ 2024 Unit 42 Incident Response report highlights a significant reduction in the time from compromise to data exfiltration, dropping from nine days in 2021 to two days last year. In nearly half (45%) of cases this year, this process took less than 24 hours.
“Evidence indicates that exploiting known vulnerabilities in public-facing applications remains the primary vector for ransomware attacks,” noted Broadcom-owned company. “Bring Your Own Vulnerable Driver (BYOVD) remains a favored tactic among ransomware groups, particularly for disabling security solutions.”