The HardBit ransomware-as-a-service (RaaS) virus has a new variant that increases the ransomware’s ability to avoid detection, establish persistence and prevent recovery.
Cybereason reported on the new HardBit 4.0 variant in a blog post last week, highlighting two main updates: passphrase protection and packing with the Neshta virus, which has become a popular ransomware dropper in recent years.
The latest version also carries over a notable feature from HardBit 3.0: separate command line input (CLI) and graphical user interface (GUI) versions of the malware, providing HardBit customers with options to choose from in their attacks.
What is HardBit ransomware?
The HardBit ransomware group first appeared in 2022 and does not have a public leak site, with most communication with its victims occurring over the encrypted messaging service Tox. Nevertheless, HardBit’s ransom note threatens to publish victims’ data if a ransom is not paid.
It is currently unknown how HardBit threat actors gain initial access into victims’ systems, although Cybereason noted it has observed evidence of remote desktop protocol (RDP) and server message block (SMB) brute forcing in its research.
Once the attackers gain initial access, they use the Windows credential extracting tool Mimikatz, the RDP brute forcing tool NLBrute and the network discovery tools Advanced Port Scanner, KPortScan 3.0 and 5-NS new.exe to assist with lateral movement, infecting as many machines within a corporate network as they can.
Once the ransomware is executed, it begins encrypting files, changes the encrypted files’ icons to the HardBit logo and changes the machine’s desktop background to a message stating: “If you see this background then you are definitely encrypted by HardBit 4.0. Don’t stress and just read the help file. Everything is written there.”
HardBit 2.0 through 4.0 all include measures to disable Windows Defender, prevent recovery and delete backups via the BCDEdit, Vssadmin, WBAdmin and WMIC tools, and obfuscate the ransomware’s .NET binary using the Ryan-_-Borland_Protector Cracked v1.0 packer tool, which is believed to be a modified version of the open-source ConfuserEx .NET packer.
HardBit’s ransom note instructs victims to tell the attackers the maximum ransom their cybersecurity insurance plan will cover, stating, “since the sneaky insurance agent purposefully negotiates so as not to pay for the insurance claim, only the insurance company wins in this situation. To avoid all this and get the money on the insurance, be sure to inform us anonymously about the availability and terms of insurance coverage, it benefits both you and us.”
New features of HardBit 4.0
One of the notable new features of the latest HardBit variant is its packing and delivery by the Neshta virus, adding an additional layer of obfuscation and making the malware more difficult to remove from the victim’s system.
Neshta has been active since 2003 and has been used by various threat actors and ransomware groups as a dropper for malware payloads in recent years, according to Cybereason. The packed HardBit 4.0 binary is dropped by Neshta into the %TEMP% directory and then executed by Neshta using ShellExecuteA.
Neshta establishes persistence by copying itself to the %SYSTEMROOT% directory disguised as the legitimate Windows service “svchost.com” and updating the HKLM\SOFTWARE\Classes\exefile\shell\open\command registry key to run this “svchost.com” copy whenever an executable is launched, Cybereason explained. Any executable under the %TEMP%, %SYSTEMROOT% or \PROGRA-1\ directories are targeted by Neshta for infection.
Another unique feature of HardBit 4.0, compared with past HardBit versions, is the use of a passphrase that needs to be provided during runtime in order to properly execute the ransomware, Cybereason found. This additional stealth measure hinders analysis of the malware, which also makes incident recovery more difficult.
HardBit GUI lets attackers choose between ransom or wiper mode
Since HardBit 3.0, the RaaS group has offered two different versions of the ransomware: CLI, which consists of a single execution chain, or GUI, which gives the attacker more control over the execution flow, Cybereason wrote.
Additionally, the GUI version also contains two different attack “modes,” allowing threat actors to choose between encrypting victims’ files or deleting them. The researchers noted that the wiper option can only be used if the attacker has access to a configuration file called “hard.txt,” suggesting this mode requires an additional purchase from the HardBit group.
Given the lack of a public leak site for HardBit, little is known about the group’s victims, and any data exfiltration methods used by the group and its affiliates also have yet to be identified. The ransomware’s continued activity and evolution point to the need for robust solutions to prevent malicious executions, protect backups and reliably detect dangerous downloads like Neshta before they establish a foothold in an organization’s network.
