The latest 4.0 version of the HardBit ransomware requires a passphrase at runtime to execute properly. It also comes in two flavours: a command-line interface and a GUI. That way, criminals with different skill levels can use it. That’s according to an analysis by cybersecurity specialists who point to this ransomware’s level of sophistication and user-friendliness.
Researchers Kotaro Ogino and Koshi Oyama write in their analysis of HardBit 4.0 that the malware also contains several obfuscation methods to make it difficult to analyze. The delivery method is fairly conventional: the virus program Neshta adds code to executable files.
Like many other ransomware groups, the club behind HardBit 4.0 sells its product (ransomware-as-a-service) to other criminals, but it is also active with its own malware. Unlike other groups in the recent past, they do not put stolen data on criminal marketplaces or ‘leak sites’. Thus, they do not appear to engage in ‘double extortion’ methods that both encrypt and steal data.
Instead, they only encrypt the data, demand a ransom and threaten to launch more attacks. To communicate with their victims, they use the instant messaging platform TOX. The initial ransom note contains the TOX ID the victim must use to communicate with the criminals. HardBit appears similar to LockBit in presentation and modus operandi, but that could also be copycat behaviour.
Brute-forcing of RDP and SMB
The researchers say they do not know exactly how the criminals behind the HardBit 4.0 malware initially gain access. However, they suspect they brute-force open Remote Desktop Protocol (RDP) and Server Message Block (SMB) services. Once delivered, the malware disables Microsoft Defender Antivirus and other processes and services that could lead to its discovery or easy recovery of the compromised system. After files are encrypted, the malware modifies icons, changes the desktop background and changes the volume label to ‘Locked by HardBit’.
Hardbit involves a .NET binary and is hidden in packer Ryan-_-Borland_Protector Cracked v1.0. This is probably a modified version of another obfuscation tool called ConfuserEx. This one has a long track record among cybercriminals, including for the RedLine Infostealer campaign.
Also read: Ransomware attacks are increasingly used as cover for espionage activities