Cybereason researchers have uncovered HardBit Ransomware’s latest version 4.0, which uses passphrase protection to enhance evasive capabilities.
Short Summary:
- Version 4.0 introduces passphrase protection during runtime.
- Advanced obfuscation techniques hinder malware analysis.
- HardBit employs double extortion without operating a data leak site.
The HardBit Ransomware has been a significant threat since its emergence in October 2022. The financially motivated group targets organizations to generate illicit revenues through double extortion tactics.
However, what sets HardBit apart from other ransomware groups is their unique communication strategy and absence of a data leak site.
The newly upgraded HardBit Ransomware 4.0, highlighted by Cybereason researchers Kotaro Ogino and Koshi Oyama, incorporates passphrase protection and enhanced obfuscation techniques, making it increasingly difficult for security analysts to dissect and understand the malware.
Technical Enhancements in HardBit 4.0
Unlike its predecessors, HardBit Ransomware 4.0 requires a passphrase to be provided during runtime for it to execute properly.
This added layer of protection ensures that even if the ransomware sample is obtained, without the passphrase, researchers cannot run the ransomware.
Additionally, new obfuscation strategies complicate reverse engineering, further hindering malware analysis efforts.
“HardBit Ransomware version 4.0 introduces passphrase protection, a significant enhancement over previous versions,” stated Cybereason researchers Kotaro Ogino and Koshi Oyama.
Binary Variants and Delivery Methods
HardBit 4.0 is available in two operational modes: command-line interface (CLI) and graphical user interface (GUI).
This flexibility allows operators of varying technical skill levels to employ the ransomware. HardBit is typically delivered using Neshta, a known .NET binary packer, which obfuscates the malware, making it challenging for security software to detect and analyze it.
The exact initial infection vector remains speculative. However, it is suspected that HardBit gains access to victim systems through brute-forcing Remote Desktop Protocol (RDP) and Server Message Block (SMB) services.
“Once a victim host is compromised, the HardBit ransomware payload is executed, which reduces the security posture of the host before encrypting victim data,” Varonis described in a technical analysis.
Post-Compromise Activities
Following the initial breach, attackers typically perform credential theft and lateral movement within the network. They employ tools such as:
- Mimikatz for credential dumping.
- NLBrute for RDP brute-forcing.
- Advanced Port Scanner for network discovery.
These tools facilitate the spread of ransomware across the network, aiming to infect as many systems as possible.
Data Encryption and Evade Detection
When HardBit is deployed, it carries out several steps to ensure successful data encryption:
- Disables Microsoft Defender Antivirus.
- Terminates processes and services that might interfere with encryption.
- Encrypts files, updates their icons, modifies the desktop wallpaper, and changes the system’s volume label to “Locked by HardBit”.
Both the CLI and GUI versions of HardBit require operators to input a decoded authorization ID and provide an encryption key to proceed with the ransomware attack.
The GUI version includes a wiper mode, which, if enabled, can irreversibly erase files and wipe disks.
Case Study: Varonis Forensics Team
In a recent forensic investigation by Varonis, multiple customer devices were encrypted in a ransomware attack. The attackers, utilizing techniques familiar to HardBit operations, swiftly executed their goals:
- Exploitation of ProxyShell vulnerabilities on Microsoft Exchange servers.
- Deployment of webshells to gain persistent server access.
- Use of Cobalt Strike for further network penetration.
- Credential theft using Mimikatz, followed by Pass-the-Hash attacks.
- Extensive network discovery and lateral movement.
- Ransomware deployment, culminating in data encryption and ransom demand notes.
“Exploitation of known vulnerabilities in public-facing applications remains the primary vector for ransomware attacks,” stated Broadcom-owned Palo Alto Networks in their 2024 Unit 42 Incident Response report.
Resilience and Evasion Techniques
HardBit ransomware utilizes several methods to maintain resilience and evade detection, including:
- Packing the ransomware binary with Neshta.
- Disabling Windows Defender features through registry updates and PowerShell commands.
- Stopping multiple services to ensure successful encryption.
Specific services targeted include those related to backup, antivirus, and database functions, further debilitating the victim’s ability to recover from the attack.
Inhibiting System Recovery
HardBit employs common ransomware techniques to inhibit system recovery, such as:
- Deleting shadow copies and backup catalogs using Vssadmin and WBAdmin commands.
- Disabling system recovery options via BCDEdit.
“Once the deletion is complete, the execution flow proceeds to enable a boot configuration to ignore any failures and disable recovery option,” Cybereason detailed.
Obfuscation and Customization
The ransomware’s code is heavily obfuscated using a .NET protector known as Ryan-_-Borland_Protector Cracked v1.0, an advanced version of the open-source ConfuserEx. Different versions of HardBit have been observed using this protector to complicate reverse engineering efforts.
Operational Modes and Wiper Feature
The latest version of HardBit includes a wiper mode feature in its GUI, allowing operators to switch between encryption and data destruction. While the ransomware’s primary function remains data encryption, the wiper mode can be enabled for more destructive purposes, further increasing the threat level of the ransom attacks.
Comparative Analysis of HardBit Versions
A comparative analysis between versions 2.0, 3.0, and 4.0 of HardBit Ransomware reveals a progressive enhancement in capabilities, including the addition of passphrase protection, expanded GUI functionality, and the inclusion of wiper mode.
Detection and Prevention
Security experts emphasize the importance of proactive measures and multi-layer defense strategies to detect and prevent ransomware infections. The Cybereason Defense Platform suggests enabling Application Control, Predictive Ransomware Protection, and Variant Payload Prevention to guard against such sophisticated ransomware threats.
“Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise,” Cybereason shared, advocating for an operation-centric approach to security.
Furthermore, it is crucial for organizations to regularly update and patch their systems, particularly to close known vulnerabilities, and to educate employees on security practices to mitigate the risk of ransomware infections.
Conclusion
HardBit Ransomware 4.0 represents a significant escalation in the ransomware threat landscape, employing sophisticated evasion and encryption techniques. By requiring a runtime passphrase and leveraging extensive obfuscation, it creates substantial challenges for security professionals.
The incorporation of a wiper mode further elevates its potential for damage, making it imperative for organizations to strengthen their cybersecurity defenses and remain vigilant against such advanced threats.
