HardBit Gets Harder to Analyze

12744610093?profile=RESIZE_400xThe HardBit ransomware first appeared in October 2022, with a 2.0 version coming shortly thereafter in November of 2022.   As one expects of a ransomware attack, HardBit targets organizations and demands cryptocurrency payments in exchange for decrypting data. 

Earlier variants of HardBit aren’t noted as being especially unique, though one standout attribute of HardBit is that the operators have enhanced their extortion tactics by demanding to know about the victim’s potential cyber insurance coverage to increase their ransom demands.  As a part of this demand, they claim that insurers tend to “sneaky” and avoid covering costs.

 

12744610685?profile=RESIZE_710x(Source: Cybereason)

Unlike with many other ransomware, HardBit does not maintain a leak site, nor is double extortion employed.  Instead, HardBit simply threatens victims with additional attacks unless demands are met.  Communication with victims is done primarily over the Tox instant message system.

HardBit 3.0 appeared in early 2023 with a few more features over its predecessor.  Most notably, the 3.0 version supported GUI operation as well as “wiper mode” which is for wiping a victim’s disks and removing files.  Interestingly, this feature needs to be explicitly enabled, indicating that this feature requires an additional purchase.  This feature would also require threat actors to deploy a configuration file alongside everything else.

There are several actions that take place during an attack.  HardBit’s infiltration tactics are not well documented, but Cybereason proposes that initial access is gained by brute forcing open RDP and SMB services.  They observed a number of login failures from known brute forcing IP addresses in their testing environment.  One addition to the 4.0 version of HardBit is that it is now being delivered by a file infector virus called Neshta.  Neshta is a file infector that has been around since 2003 and has been used by threat actors in the past to distribute other threats such as BlackPOS malware or Big Head ransomware.

Victims are greeted with a changed desktop background and icons as we can see in the screenshot below, along with various versions of a ransom note detailing how they should contact the attackers.

12744611268?profile=RESIZE_710x

(Source: Cybereason)

HardBit gathers system information from web-based enterprise management tools and WMI functions to avoid analysis.  HardBit also performs several pre-encryption steps including deleting the Volume Shadow Copy Service (VSS), deleting the Windows backup catalog, changing the boot configuration, disabling Windows Defender features and terminating services, in addition to establishing persistence on the system.

Files of interest are encrypted, and past observations indicate that they are renamed to include a random string of characters, an apparent ID indicator, and a contact email address.  Ransom notes are dropped in each directory containing encrypted files.  A HTA version of the ransom note is launched automatically upon the completion of the encryption process, which will also provide a Tox ID for contacting the attacker.

The focus of the 4.0 update appears to be to make HardBit more difficult to analyze.  One of the key updates to the 4.0 version of HardBit is passphrase protection.  A passphrase needs to be provided during the runtime of the ransomware in order for things to run properly.  Before the executable runs, it first requires a decoded authorization ID.  This authorization ID is obtained by decoding the included authorization ID that is packaged with the executable with a private key.  One interesting element of this feature is that the authorization ID file that is dumped appears to be updated each execution. 

12744610886?profile=RESIZE_710x

(Source: Cybereason)

The HardBit ransomware group also include a GUI tool for decoding the authorization ID.  This new feature, along with other detection avoidance techniques such as being delivered or packed a certain way can make analysis more troublesome, especially if the malware cannot be executed properly without a specific passphrase.

The ransomware itself is obfuscated by using a packer name Ryan Borland Protector 1.0.  This packer is a customized version of the open-sourced packer called ConfuserEx.  Tools such as these are generally used to protect against reverse engineering, and provide a number of features like symbol renaming, disguising control flow and hiding method references, encrypting methods to prevent tampering, encrypting constants, etc.

In summary, HardBit is a ransomware that has been around since at least October 2022 and was quickly updated to version 2.0 in November of 2022.  In general, the targets for this ransomware will be organizations and ransom demands will be made in cryptocurrency.  HardBit demands information from victims on any cyber insurance they may have to set ransom amounts.  Communication is done over Tox and the HardBit operators do not maintain a data leak site.

HardBit’s initial access is proposed to be gained by brute forcing open RDP and SMB services and the ransomware is delivered by the file infector Neshta, which is a new aspect of the 4.0 version, and it is packed by Ryan Borland Protector 1.0.  Once the encryption of files is completed, the victim’s desktop background and icons are changed to make things obvious and ransom notes are dropped in each directory containing encrypted files with contact information. 

The most notable update to the newest version of HardBit is the inclusion of the passphrase requirement.  Upon execution, the ransomware needs to be provided an authorization ID, which is obtained by decrypting an included ID file using a private key.  This execution requirement ensures that the ransomware cannot be executed properly without the ability to decode the authorization ID, thereby significantly hampering the ability to perform malware analysis.

 

[1]: https://hivepro.com/threat-advisory/hardbit-ransomware-a-threatening-cyber-attack-targeting-organizations-with-new-version-2-0/

[2]: https://www.bankinfosecurity.com/new-hardbit-20-ransomware-tactics-target-insurance-coverage-a-21286

[3]: https://thehackernews.com/2024/07/new-hardbit-ransomware-40-uses.html

[4]: https://www.fortinet.com/blog/threat-research/fortiguard-labs-ransomware-roundup

[5]: https://www.cybereason.com/blog/hardening-of-hardbit

[6]: https://blogs.blackberry.com/en/2019/10/threat-spotlight-neshta-file-infector-endures

 

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com             

Weekly Cyber Intelligence Briefings:

  • Reporting: https://www. redskyalliance. org/   
  • Website: https://www. wapacklabs. com/  
  • LinkedIn: https://www. linkedin. com/company/64265941   

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5504229295967742989  

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!