High

Analysis Summary

A new strain of ransomware known as HardBit has been discovered by cybersecurity researchers. It is bundled with fresh obfuscation strategies to thwart analysis attempts. The HardBit Ransomware gang improved version 4.0 by adding passphrase protection, in contrast to earlier iterations.

The researchers said, “The passphrase needs to be provided during the runtime in order for the ransomware to be executed properly. Additional obfuscation hinders security researchers from analyzing the malware.”

First discovered in October 2022, HardBit is a financially driven threat actor that uses double extortion to make illegal profits, just like other ransomware gangs. The threat group is distinct since it does not own a website where data is leaked; instead, it uses threats of future attacks to coerce victims into paying up. The Tox instant messaging service is its main means of communication.

Although the precise initial access vector utilized to compromise target environments is unknown now, brute-forcing RDP and SMB services are thought to be involved. The next steps include network discovery using tools like Advanced Port Scanner and credential theft using tools like Mimikatz and NLBrute, which enable the attackers to move laterally across the network via RDP.

Once the victim host has been infected, the HardBit ransomware payload is launched. It then takes several actions to weaken the host's security posture before encrypting the victim's data. The victim hosts are encrypted through the use of HardBit, which is distributed by the well-known file infector virus Neshta. It's important to remember that threat actors have previously distributed the Big Head ransomware using Neshta.

To avoid possible detection of its actions and prevent system recovery, HardBit is also built to turn off Microsoft Defender Antivirus and stop programs and services. Next, files of interest are encrypted, their icons are updated, the desktop wallpaper is changed, and the system volume label is changed to read "Locked by HardBit."

In addition to being available to users via command-line or graphical user interface (GUI) versions, the ransomware needs an authorization ID to function properly. In addition, the GUI flavor has a wiper mode for permanently erasing files and cleaning the drive. Threat actors can proceed with the ransomware operation after successfully entering the decoded authorization ID. HardBit then asks for an encryption key to encrypt the files on the target workstations.

The HardBit Ransomware gang must enable the wiper mode feature, which is probably an extra feature that operators need to buy. To enable wiper mode, operators must deploy hard.txt, an optional HardBit binary configuration file that provides an authorization ID.

Impact

• Financial Loss
• Data Exfiltration
• File Encryption
• Sensitive Data Theft
• Data Loss

Remediation

• Implement robust multi-layered security measures to detect and respond to ransomware and cyber espionage activities.
• Conduct regular security assessments and penetration testing to identify and mitigate vulnerabilities in critical infrastructure and government systems.
• Deploy advanced threat detection tools, such as Endpoint Detection and Response (EDR) and Network Traffic Analysis (NTA), to monitor for suspicious activities and anomalies.
• Ensure timely patching and updating of all software and systems to close known security gaps.
• Use multi-factor authentication (MFA) and strong password policies to protect user accounts from unauthorized access.
• Segment networks to limit lateral movement within the organization in case of a breach.
• Develop and maintain an incident response plan that includes procedures for ransomware attacks and data breaches.
• Train employees on cybersecurity best practices and phishing awareness to reduce the risk of social engineering attacks.
• Regularly back up critical data and ensure backups are stored securely and are not accessible from the primary network.
• Collaborate with cybersecurity firms and government agencies for threat intelligence sharing and coordinated defense strategies.
• Implement encryption for sensitive data at rest and in transit to protect against data theft.
• Limit access to critical systems and data to only those individuals who require it for their role.
• Monitor for and immediately investigate the presence of known malware and indicators of compromise associated with state-sponsored groups.
• Engage in regular cybersecurity drills and exercises to ensure readiness for potential cyber incidents.
• Ensure legal and compliance measures are in place, particularly for industries subject to specific regulatory requirements.