Cybersecurity researchers have revealed a new version of the HardBit ransomware strain, now incorporating advanced obfuscation techniques to complicate analysis efforts.
“HardBit Ransomware version 4.0 introduces passphrase protection, a significant enhancement over previous versions,” noted Cybereason researchers Kotaro Ogino and Koshi Oyama in their analysis.
“The passphrase must be provided during runtime for the ransomware to execute properly, and additional obfuscation techniques hinder security researchers’ ability to analyze the malware.”
First identified in October 2022, HardBit is a financially motivated threat actor using double extortion tactics to generate illicit revenues. Unlike other ransomware groups, HardBit does not operate a data leak site; instead, it pressures victims by threatening further attacks in the future. The group primarily communicates via the Tox instant messaging service.
The exact method used to gain initial access to targeted environments remains unclear but is suspected to involve brute-forcing RDP and SMB services.
Subsequent steps include credential theft using tools like Mimikatz and NLBrute, and network discovery through utilities such as Advanced Port Scanner, allowing attackers to move laterally across networks via RDP.
“Once a victim host is compromised, the HardBit ransomware payload is executed, which reduces the security posture of the host before encrypting victim data,” Varonis detailed in its technical write-up on HardBit 2.0 last year.
The ransomware encrypts victim files after being delivered by Neshta, a known file infector virus previously used to distribute Big Head ransomware. HardBit also disables Microsoft Defender Antivirus, terminates processes and services to evade detection, encrypts files of interest, updates their icons, changes the desktop wallpaper, and alters the system’s volume label to “Locked by HardBit.”
HardBit ransomware is available in both command-line and GUI versions, requiring an authorization ID for successful execution. The GUI version includes a wiper mode that can irreversibly erase files and wipe disks.
“Upon successful entry of the decoded authorization ID, HardBit prompts for an encryption key to encrypt files on the target machines and proceeds with the ransomware procedure,” Cybereason explained.
“The wiper mode feature must be enabled by the HardBit Ransomware group and is likely an additional purchase. To activate wiper mode, operators must deploy `hard.txt`, an optional configuration file containing the authorization ID.”
This update follows cybersecurity firm Trellix’s report on a CACTUS ransomware attack exploiting security flaws in Ivanti Sentry (CVE-2023-38035) to install file-encrypting malware using legitimate remote desktop tools like AnyDesk and Splashtop.
Ransomware activity has been on the rise in 2024, with 962 attacks reported in the first quarter, an increase from 886 attacks year-over-year. LockBit, Akira, and BlackSuit have emerged as the most prevalent ransomware families during this period, according to Symantec.
Palo Alto Networks’ 2024 Unit 42 Incident Response report highlights a significant drop in the median time from compromise to data exfiltration, falling from nine days in 2021 to just two days last year, with nearly half (45%) of cases seeing data exfiltration in under 24 hours.
“Exploitation of known vulnerabilities in public-facing applications remains the primary vector for ransomware attacks,” Broadcom-owned Palo Alto Networks noted. “The Bring Your Own Vulnerable Driver (BYOVD) tactic continues to be favored by ransomware groups, particularly for disabling security solutions.”
