News

HardBit 2.0 Ransomware Asks for Insurance Policy to Negotiate Ransom

The threat of ransomware somehow keeps getting bigger and bigger, with new variants introduced on a regular basis. One such relatively new ransomware, named Hardbit, came up with a new strain that has been observed throughout the end of 2022 and into 2023.

What’s been found

The new version of Hardbit 2.0, which is still under development, features unique capabilities.
  • Unlike other ransomware strains that write encrypted data to file copies and delete the original one, HardBit 2.0 opens the files and overwrites the content with encrypted data.
  • The current version of the ransomware includes various evasion capabilities, such as modifying the Registry to disable Windows Defender’s real-time behavioral monitoring, process scanning, and on-access file protections.
  • The type of data collected by the variant includes CPU details, information on disk drives, IP configuration, MAC address, system manufacturer, usernames, computer name, and network adapter settings.

What makes the campaign unique

Notably, as part of the negotiation, victims with cyber insurance policies are encouraged to disclose details to the attackers so that their demands can be adjusted in accordance with the policy.
  • This is a unique trick adopted by the operators so that their ransom demands are covered by the victim’s insurance company, without the involvement of intermediaries.
  • Victims are given 48 hours to get in touch with hackers, who use a peer-to-peer chat program that is open-source and encrypted.

A brief overview of HardBit

HardBit ransomware was first observed in October 2022, targeting organizations to extort cryptocurrency payments for the decryption of their data.
  • Like most modern ransomware families, HardBit claims to steal sensitive data from its victims.
  • It does not appear to have a leak site and is not using the double extortion tactic wherein victims are named and shamed.
  • To put pressure on victims, the gang threatens further attacks if they fail to fulfill the ransom demand.

Conclusion

The recent addition of leveraging cyber insurance policies for ransom demands indicates that these threat actors can go to any lengths to make profits. However, organizations must restrain from sharing their insurance details as doing so can risk them losing the opportunity to claim damages from the insurers. Instead, it is recommended to refuse to pay the ransom, report the incident to law enforcement agencies, and have a consistent backup strategy. Furthermore, organizations can leverage the IOCs associated with HardBit 2.0 to understand the attack patterns needed to improve their security posture.
Scroll to Top