HardBit 4.0 Ransomware Dissection

Researchers have uncovered a new strain of ransomware known as HardBit. It is bundled with fresh obfuscation strategies to thwart analysis attempts. The HardBit Ransomware gang improved version 4.0 by adding passphrase protection, in contrast to earlier iterations

Initially discovered in October 2022, the group is a financially driven threat actor who uses double extortion to make profits. The threat group is distinct since it does not own a website where data is leaked; instead, it is used to threaten the victim. The Tox instant messaging service is its main means of communication.

The initial access vector used to compromise is unknown, and brute-forcing RDP and SMB services are thought to be involved. The next steps include network discovery using tools like Advanced Port Scanner and credential theft using tools like Mimikatz and NLBrute, which enable the attackers to move laterally across the network via RDP.

Once the victim host has been infected, the payload is launched. It then takes several actions to weaken the host’s security posture before encrypting the victim’s data. The victim hosts are encrypted through the use of HardBit, which is distributed by the well-known file infector virus Neshta.

To evade detection of its actions and prevent system recovery, HardBit is also built to turn off Microsoft Defender Antivirus and stop programs and services. Files are encrypted, their icons are updated, the desktop wallpaper is changed, and the system volume label is changed to read “Locked by HardBit.”

In addition to being available to users via command-line or GUI versions, the ransomware needs an authorization ID to function properly. In addition, the GUI flavor has a wiper mode for permanently erasing files and cleaning the drive. Threat actors can proceed with the ransomware operation after successfully entering the decoded authorization ID. HardBit then asks for an encryption key to encrypt the files on the target workstations.

The HardBit Ransomware gang must enable the wiper mode feature, which is probably an extra feature that operators need to buy. To enable wiper mode, operators must deploy hard.txt, an optional HardBit binary configuration file that provides an authorization ID.