11001978265?profile=RESIZE_400xActivity Summary - Week Ending on 23 March 2023:

  • Red Sky Alliance identified 33,558 connections from new IP’s checking in with our Sinkholes
  • RackForest in Hungary hit
  • Analysts identified 438 ‘new’ IP addresses participating in various Botnets
  • Dark Web Data
  • HardNit 2.0
  • HardNit SHA256
  • India Mobile Phones
  • NBA



Red Sky Alliance Compromised (C2) IP’s 







52 was reported 3 times. Confidence of Abuse is 2%:  ISP:  RackForest Kft;  Usage Type:  Data Center/Web;  Hosting/Transit: --  Domain Name:  rackforest.com;  Country:   Hungary, Budapest, Budapest.


On 22 March 2023, Red Sky Alliance identified 33,558 connections from new unique IP addresses, which are checking in with one of the many Red Sky Alliance sinkholed domains.

Malware Variant


Times Seen











Top 5 Malware Variant and number of contacts.  Sality and Corkow has consistently remain the top variants. 
Shiz follows.


 Red Sky Alliance Malware Activity   

For a full black list – contact analysts: info@redskyalliance.com


Red Sky Alliance Botnet Tracker

On 22 March 2023, analysts identified 438 new IP addresses participating in various botnets (call for full .csv Blacklists, below are only a small sampling of botnet trackers).  We are currently upgrading this collection.

First_ Seen

Botnet Attribution

Infected Host’s IPv4 Address


SOCKS4 proxy|port: 4145


SOCKS4 proxy|port: 4145


SOCKS4 proxy|port: 4145


SOCKS4 proxy|port: 4145


SOCKS4 proxy|port: 4153


Red Sky Alliance Dark Web Data

Dark Web data is collected from a variety of pages on the Tor network and their plain web mirrored counterparts or plain-web forums with intent overlap.  This includes forums, ransomware listings, and marketplaces.  Data found in this is broad as it will contain companies already breached, various login credentials (personal and business), and variety of software, identification papers, and counterfeit items for sale.










HardNit 2.0 - FortiGuard Labs latest edition of the Ransomware Roundup covers the HardBit 2.0 ransomware.[1]

Affected platforms:         Microsoft Windows
Impacted parties:             Microsoft Windows Users
Impact:                               Encrypts files on the compromised machine and demands ransom for file decryption
Severity level:                   High

HardBit 2.0 Ransomware

Overview - HardBit ransomware dates to at least October 2022, with the current 2.0 version having been released shortly thereafter, in November 2022.  As is commonplace now, HardBit leverages the “double extortion” technique of encrypting the files of a victim for ransom and then backstopping that action with a threat to release sensitive information and data if the ransom is not paid.

HardBit 2.0 Ransomware Infection Vector - Information on the infection vector used by this group is not currently available. However, it is not likely to differ greatly from other ransomware groups.

HardBit 2.0 Ransomware Execution - Upon execution, HardBit 2.0 terminates processes and services to slow the potential detection of its activities.  It then encrypts files of interest and renames them to something random followed by [id-XXXX].[contact email].hardbit2.

11001976497?profile=RESIZE_584xFigure 1. Files encrypted by HardBit 2.0

In each directory where files have been encrypted, an HTA file named “Help_me_for_Decrypt.hta” and a ransom note named “How To Restore Your Files.txt” are deposited.

11001977256?profile=RESIZE_584xFigure 2. HardBit JPEG and ransom note.

The ransom note contains an explanation of what has happened, a guarantee of recovery if payment is made, and e-mail addresses for contacting the attacker.  Quite interestingly, there is no price specified in the ransom, ensuring a victim will have to contact the attacker to negotiate.  Additionally, there is an entire paragraph on cyber insurance and the suggestion to undercut the provider by providing details of the insurance policy “anonymously”.  This is (by their logic) a way to ensure their payment demands don’t exceed the maximum policy threshold so both the attacker and the policyholder get their payout.

11001976894?profile=RESIZE_584xFigure 3. The HardBit ransom note.

11001977268?profile=RESIZE_584xFigure 4. The paragraph in the ransom note regarding cyber insurance.

The HTA file is launched automatically once HardBit finishes encrypting the files on the host.  It also provides a Tox ID with which to contact the attacker.  Tox is an open-source, peer-to-peer instant messaging platform (https://en.wikipedia.org/wiki/Tox_(protocol)).  It also has additional warnings indicating that if contact is not made within 48 hours, the ransom will double.

11001977070?profile=RESIZE_584xFigure 5. HTA file dropped after encryption.

On the Desktop, a JPEG image, “HARDBIT.jpg”, is dropped. This becomes the background for the compromised machine.

11001977465?profile=RESIZE_584xFigure 6. JPEG file dropped after encryption.

The image reiterates that the victim should refer to the “Help_me_for_Decrypt.hta” and “How To Restore Your Files.txt” files deposited in their system. It also explains that files were also exfiltrated and explicitly threatens to release them for sale or onward publishing if contact is not forthcoming.

11001977482?profile=RESIZE_584xFigure 7. Altered desktop background.

File-based IOCs:




HardBit 2.0


HardBit 2.0


HardBit 2.0


HardBit 2.0

Best Practices - Organizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom partly because payment does not guarantee that files will be recovered.  According to a US Department of Treasury's Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit activities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a Ransomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes Complaint Center (IC3).


India Mobile Internet Stop - Tens of millions of people in India’s Punjab state remain without mobile internet on Monday, as the provincial government says a shutdown will last into a fourth day.

On 18 March, the state government ordered a suspension of SMS and internet services on mobile devices as police searched for the leader of a Sikh separatist movement.  Some 27 million people in the northern state are affected by the blackout, which has not impacted non-mobile internet service.  On the 20th Punjab government officials announced the blackout would continue until at least midday the 21st.

11001977094?profile=RESIZE_400xDigital rights organizations decried the government’s tactics, pointing to the frequency with which the Indian government has switched off internet access in the name of security.  “Time and again, India halts its ambitious rise as a digital superpower by bringing large parts of its economy to its knees,” the Delhi-based Software Freedom Law Center said in a statement. “Indian authorities' first reflex action is to deprive everyone of access to the Internet.” A recent report from the internet watchdog Access Now found that in 2022 India was the worst offender globally for shutdowns, for the fifth consecutive year. More than half of all cases were in the disputed region of Kashmir.[2]

The government issued the order to sever mobile internet on Saturday shortly after police attempted to arrest Amritpal Singh, a Sikh preacher and leader of the Khalistan separatist movement, who managed to escape after a livestreamed car chase. More than 100 of his alleged supporters have been arrested and the government has extended the shutdown twice since it was first imposed.

The throttling of internet access has become more and more frequent worldwide, with governments in at least 35 countries having used the tactic in 2022, according to Access Now research. Recently, the Turkish government limited access to social media nationwide after people began complaining about the state’s earthquake response.

In India, digital rights organizations fear that a drafted telecommunications bill would make it even easier for officials to limit internet access.

US NBA - NBA is alerting fans after hack of third-party service provider.  The National Basketball Association (NBA) said it is contacting fans after an unnamed service provider was hacked.  An NBA spokesperson did not respond to questions about what service provider was hacked and when but said that the league is now trying to help those affected.  “We were recently made aware that an unauthorized third party gained access to the IT systems of an NBA service provider for mobile app and email communications.   As a result, copies of names and email addresses of some NBA fans were captured,” the spokesperson said.  The NBA was notified of the incident on 8 March.  “There is no impact whatsoever to the NBA’s systems or to the assets held securely at the NBA.  The league immediately took action to contain the issue, identify those impacted and communicate potential risks and next steps.”[3]

The incident was first reported by Bleeping Computer, which revealed that emails were sent out to an unspecified number of fans about a “cybersecurity incident.”   The messages say the third-party service provider helped the NBA communicate with fans through email.  The league also says that an investigation is ongoing and a cybersecurity firm has been hired to analyze the incident.

The NBA warned that customers should be wary of phishing emails or scams that will take advantage of the breach.  Any emails purporting to be from the NBA should be checked to make sure they came from a "@nba.com" email address.  Sports leagues have become ripe targets for hackers as more shift away from cable packages to their own personalized streaming offerings, thus taking on more direct responsibility for protecting data.

11001977861?profile=RESIZE_400xThe NBA’s Houston Rockets were hit with ransomware in 2021 that allowed for the theft of employee data, contracts, nondisclosure agreements, customer information and more.  The National Football League's San Francisco 49ers are still dealing with the aftermath of a 2022 ransomware attack that took place one week before Super Bowl Sunday.  More than 20,000 people had their Social Security numbers leaked in the attack.

Last week, the Justice Department sentenced Joshua Streit to three years in prison after he was convicted by a federal court for illegally accessing and reselling video streams for the NBA, NFL, Major League Baseball and the National Hockey League.  The 31-year-old Minnesota man streamed games on a site named HeHeStreams from 2017 to 2021.  He later tried to extort $150,000 from the MLB in exchange for not publicizing the vulnerability he used to hack its website.

[1] https://www.fortinet.com/blog/threat-research/fortiguard-labs-ransomware-roundup?lctg=141970831

[2] https://therecord.media/india-punjab-mobile-internet-blackout/

[3] https://therecord.media/nba-third-party-service-provider-hacked/

Topics by Tags

Monthly Archives