Threat Research

HardBit 2.0 Ransomware

Securonix

HardBit 2.0 is a ransomware variant observed from late 2022 that encrypts data after stealing sensitive information, negotiating ransom rather than paying a fixed bitcoin amount. It combines data theft, encryption, and multiple defense-evading and persistence techniques, including WMI information gathering, registry edits to disable Defender, VSS/shadow copy deletion, and HTA-based ransom notes. #HardBit #HardBit2.0 #HTA #VSS

Keypoints

  • HardBit 2.0 emerged around November–December 2022 with ongoing activity into 2023, continuing to extort victims via data theft and encryption.
  • Unlike some peers, HardBit previously did not appear to maintain a public leak site or employ double extortion, though it remains capable of threatening further attacks if demands aren’t met.
  • Negotiations are conducted via email or the Tox IM platform, with potential tailoring of demands for cyber-insured victims.
  • The ransomware drops a custom icon, registers a hardbit2 file association in the registry, and briefly displays a wallpaper tied to its ransom note.
  • HardBit systematically lowers the victim’s security posture: deleting VSS/shadow copies, editing boot config, and disabling Windows Defender features.
  • Persistence is achieved by copying to the Startup folder and masquerading the payload as svchost.exe.
  • Encryption overwrites files and appends a ransom note and identifier, then displays HTA-based instructions and a desktop image to the user.

MITRE Techniques

  • [T1047] Windows Management Instrumentation – “gathers information about the victim host via web-based enterprise management and Windows Management Instrumentation (WMI) functions.”
  • [T1059.003] Command and Scripting Interpreter: Windows Command Shell – “cmd.exe /C sc delete VSS” and other command-line actions to disable protections and manage components.
  • [T1059.001] Command and Scripting Interpreter: PowerShell – “PowerShell cmdlet Get-MpPreference is executed to output any configured Windows Defender preferences.”
  • [T1112] Modify Registry – “registry changes to associate icons and disable Defender features” and related Registry edits described in the article.
  • [T1562.001] Impair Defenses: Disable or Modify Security Tools – “Disable tamper protection; DisableAntiSpyware; DisableBehaviorMonitoring; DisableOnAccessProtection; DisableProcessModel” as part of Defender disruption.
  • [T1490] Inhibit System Recovery – “Volume Shadow Copy Service/backups is deleted” and shadow copies removed to hinder recovery.
  • [T1060] Registry Run Keys/Startup Folder – “Startup folder persistence” to ensure auto-run on reboot; uses svchost.exe masquerade.
  • [T1036] Masquerading – “the executable filename mimics svchost.exe” to evade detection.
  • [T1486] Data Encrypted for Impact – “encryption phase” where files are overwritten and renamed with an identifier and contact info.
  • [T1218.005] Signed Binary Proxy Execution: Mshta – “HTA ransom note is executed to display interactive content via mshta.exe”.

Indicators of Compromise

  • [Email address] Threat actor contacts – alexgod5566@xyzmailpro[.]com, filetest@decoymail[.]net, and 2 more emails
  • [File name] Dropped files – HARDBIT.jpg, Help_me_for_Decrypt.hta, How To Restore Your Files.txt, README.txt, hrdb.ico
  • [SHA-256] File hashes – HARDBIT.jpg – e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855, and 2 more hashes
  • [SHA-256] HardBit 2.0 samples – 422e0e4e01c826c8a9f31cb3a3b37ba29fb4b4b8c4841e16194258435056d8a3, a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992, and 2 more hashes

Read more: https://www.varonis.com/blog/hardbit-2-0-ransomware

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint