HardBit Ransomware 4.0 Utilizes Passphrase Protection to Elude Detection

July 15, 2024

Cybersecurity experts have unearthed a new version of the ransomware strain known as HardBit. This latest iteration employs sophisticated obfuscation methods to frustrate analysis efforts. "Unlike previous versions, HardBit Ransomware group enhanced the version 4.0 with passphrase protection," stated Cybereason researchers Kotaro Ogino and Koshi Oyama. The ransomware requires a passphrase to be entered during runtime for it to execute correctly.

HardBit first appeared in the cybersecurity landscape in October 2022. It is a threat actor driven by financial motives, employing double extortion tactics to generate illegal income. Unlike its peers, HardBit does not operate a data leak site. Instead, it pressures victims into paying by threatening to launch additional attacks in the future. The group primarily communicates through the Tox instant messaging service.

The exact method used by HardBit to breach target systems is not currently known. However, it is believed to involve brute-forcing RDP and SMB services. Once inside a system, HardBit performs credential theft using tools like Mimikatz and NLBrute and conducts network discovery with utilities such as Advanced Port Scanner. This allows the attackers to move laterally across the network using RDP.

HardBit is also engineered to disable Microsoft Defender Antivirus and halt processes and services. This helps it evade detection and obstructs system recovery. After reducing the security posture of the victim's host, HardBit encrypts files, updates their icons, changes the desktop wallpaper, and alters the system's volume label to "Locked by HardBit."

The ransomware is offered to operators in command-line or GUI versions and necessitates an authorization ID for successful execution. The GUI version also supports a wiper mode that permanently erases files and wipes the disk. "Once threat actors successfully input the decoded authorization ID, HardBit prompts for an encryption key to encrypt the files on the target machines and it proceeds with ransomware procedure," Cybereason explained.

Meanwhile, cybersecurity firm Trellix detailed a CACTUS ransomware attack that exploited security flaws in Ivanti Sentry (CVE-2023-38035) to install the file-encrypting malware using legitimate remote desktop tools like AnyDesk and Splashtop. Ransomware activity continues to surge in 2024, with ransomware actors claiming 962 attacks in the first quarter of 2024, up from 886 attacks reported year-over-year. The most prevalent ransomware families during this period were LockBit, Akira, and BlackSuit, according to Symantec.

Palo Alto Networks' 2024 Unit 42 Incident Response report revealed that the median time from compromise to data exfiltration dropped from nine days in 2021 to two days in 2023. In nearly half of the cases this year, it was just under 24 hours. The Broadcom-owned company stated that exploitation of known vulnerabilities in public-facing applications continues to be the main vector for ransomware attacks.

Related News

• Phobos Ransomware Targets U.S. Critical Infrastructure: Government Agencies Issue Warning
• Critical Ivanti Authentication Bypass Bug Now Actively Exploited, Warns CISA
• Ivanti's Connect Secure VPN and Policy Secure NAC Appliances Face Mass Exploitation
• Critical Remote Code Execution Vulnerability in Ivanti's Endpoint Management Software
• Critical Ivanti Sentry Bug Abused as Zero-Day: Exploit Released

Latest News

• Rapid Exploitation of PoC Exploits by Hackers: A Cloudflare Security Report
• Critical Vulnerability in Exim Mail Servers Affects 1.5 Million Instances
• Akira Ransomware: Accelerated Data Exfiltration in Roughly Two Hours
• Rise in Attacks by Crystalray, the New OSS-Based Threat Actor
• PHP Flaw Exploited by Threat Actors to Disseminate Malware and Initiate DDoS Attacks