Skip to content

HardBit 4.0 ransomware launches with advanced passphrase protection

  • by
  • 4 min read

Illustration: JMiks | Shutterstock

The notorious ransomware group HardBit has significantly upgraded its latest version of malicious software, HardBit 4.0. This latest iteration includes advanced obfuscation techniques, including passphrase protection and diverse deployment options, enhancing its ability to evade detection and complicate mitigation efforts.

The ransomware first emerged in October 2022 and has steadily evolved with notable advancement in each upgrade. HardBit does not maintain leak sites for double extortion, unlike many ransomware groups. Instead, it focuses on encrypting victims’ data and threatens further attacks if ransoms are unmet. The groups’ primary communication method is through the peer-to-peer instant messaging system, TOX.

The key enhancements in version 4.0 include:

  • Binary obfuscation enhancement: HardBit ransomware version 4.0 has introduced passphrase protection, requiring a passphrase during runtime for proper execution. This enhancement complicates the analysis for security researchers due to additional obfuscation layers.
  • Binary variant: Operators can now choose between CLI and GUI versions of HardBit, catering to different technical skill levels. The GUI version offers a more intuitive interface, broadening the group’s market reach.
  • Common delivery methods: Similar to previous versions, Neshta delivers HardBit. The ransomware itself is a .NET binary, obfuscated by a packer believed to be a modified form of ConfuserEx, known as Ryan-_-Borland_Protector Cracked v1.0.

“Like many ransomware groups, the goal is financial gain via extortion and many of the TTPs introduced in this analysis overlap with different ransomware operators. However, the group’s communications methods, as well as their tools, differentiate them from well-known ransomware groups,” researchers said.

Neshta execution flow. | Source: Cybereason

Cybersecurity experts are not certain about the exact initial infection method. However, they hypothesize that threat actors gain access through brute force attacks on open RDP and SMB services. Researchers observed multiple login failures from known brute-forcing IP addresses.

Threat actors such as Mimikatz and NLBrute used credential theft tools. They also ran a BAT script with Mimikatz binaries to extract credentials, executed by misparser.vbs. Although they had LaZagne and NirSoft ready, they did not use these additional tools in this specific instance.

Threat actors retrieved tools like Advanced Port Scanner and KPortScan 3.0 for network discovery. Harvested credentials facilitated lateral movement through RDP, aiming to infect multiple machines within the victim’s network.

While specific methods remain unidentified, researchers noted the ransomware’s impact, including deploying HardBit-packed Neshta to encrypt target machines. The binary drops several files, including the ransomware, into the %TEMP% directory during execution.

HardBit ransomware attack flow. | Source: Cybereason

“Ransomware operators deploy HardBit packed Neshta onto infected machines to conduct encryption of the machines. HardBit ransomware deploys four files onto the machines, including the ransomware binary itself,” researchers note.

Researchers observed that the ransomware offers CLI and GUI versions, requiring an authorisation ID decoded from a private key for execution. The CLI versions operate in a single execution chain, while the GUI offers more control, including ransom and disk wiping modes.

HardBit disables Windows Defender via registry updates and PowerShell commands, stops multiple services to ensure successful execution, and employs tools like BCEDEdit and Vssadmin to inhibit system recovery, preventing users from restoring their systems post-infection.

After infiltration, HardBit encrypts target files, updates file icons and wallpapers and drops ransom notes with contact information.

In the News: AT&T pays more than $300,000 to ShinyHunters for data deletion

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>