A new version of a ransomware strain called "HardBit" was recently seen not only encrypting victims' files, but also negotiating a ransom demand by asking for a victim's cybersecurity insurance details.
HardBit was first observed in the wild back in October 2022 and was updated to version 2.0 by the end of November, according to data security and analytics company Varonis. This is the version currently making the rounds on the internet.
HardBit claims to steal sensitive data from its victims and leak them unless a ransom is paid. However, HardBit doesn't appear to have a data leak site where the stolen data is dumped. It is also reportedly not using the double extortion tactic where the ransomware's creators name and shame the victim and threaten them with the exposure of their confidential data.
Aside from encrypting a victim's files, HardBit also weakens the security of the host PC by disabling anti-spyware capabilities, real-time behavioral monitoring, real-time on-access file protection, and real-time process scanning through the Windows Registry. HardBit can even add itself to Windows' Startup folder and delete Volume Shadow copies to make data recovery difficult.
Files that are set for encryption by HardBit are opened and then overwritten. Varonis believes that this is a move to thwart file recovery efforts compared to less-sophisticated ransomware strains that write encrypted data to a new file and delete the original.
Once the encryption process is complete, HardBit displays a ransom note (shown above). However, it doesn't inform the victim how much they need to pay. Instead, the note prompts the victim to contact the attackers within 48 hours through Tox, an encrypted messaging service. The note also warns against working with intermediaries, as doing so would drive the price up.
Notably, the threat actors behind HardBit encourage those with cyber insurance to share any details so that the ransom demand can be adjusted to fall within the policy. The note even goes as far to say that sharing the insurance details is beneficial and insurers stand in the way of data recovery.
"For example your company is insured for 10 million dollars, while negotiating with your insurance agent about the ransom he will offer us the lowest possible amount, for example 100 thousand dollars, we will refuse the paltry amount and ask for example the amount of 15 million dollars, the insurance agent will never offer us the top threshold of your
insurance of 10 million dollars.
He will do anything to derail negotiations and refuse to pay us out completely and leave you alone with your problem. If you told us anonymously that your company was insured for $1 million and other important details regarding insurance coverage, we would not demand more than $16 million in correspondence with the insurance agent. That way you would have avoided a leak and decrypted your information."
To fight ransomware attacks, it's important to report them to law enforcement and make sure you have offsite backups in place so you can easily recover your files. And to protect your systems from similar incidents in the future, always be cautious when opening unsolicited emails and attachments, and avoid visiting potentially malicious websites. Keep your security software updated as well so it can properly detect and remove malware.