Varonis debuts trailblazing features for securing Salesforce. Learn More

Varonis announces strategic partnership with Microsoft to acclerate the secure adoption of Copilot.

Learn more

HardBit 2.0 Ransomware

8 min read
Last updated June 16, 2023

Introduction

First observed in October 2022, HardBit is a ransomware threat that targets organizations to extort cryptocurrency payments for the decryption of their data.

Seemingly improving upon their initial release, HardBit version 2.0 was introduced toward the end of November 2022, with samples seen throughout the end of 2022 and into 2023.

Like most modern ransomware threats, HardBit claims to steal sensitive data from their victims, likely upon first gaining access to the network, before launching their payload to encrypt data.

Unlike many of their peers, however, HardBit does not appear to have a leak site at this time and is not currently using the double extortion tactic, in which victims are “named and shamed” and threatened with public exposure of their stolen data.

While the threat of stolen data being sold or published remains, the group threatens further attacks against the victim should their ransom demands not be met.

Using a predefined ransom note contained within the ransomware threat, HardBit encourages victims to contact them by email or via the Tox instant messaging platform.

Rather than specifying an amount of bitcoin requested within this ransom note, the group seeks to negotiate with victims to reach a settlement. Notably, as part of these negotiations, victims with cyber insurance policies are also encouraged to share details with HardBit so that their demands can be adjusted to fall within the policy (Figure 1).

Picture1-Feb-20-2023-01-54-28-5209-AM

Figure 1. HardBit ransom note

Note: Appendix A provides the full ransom note.

While it's unknown how HardBit is gaining initial access to victim networks, it's likely that they're using similar tactics, techniques, and procedures (TTPs) of other ransomware threat actors.

These tried and tested TTPs typically used by ransomware groups include the delivery of malicious payloads to unsuspecting employees, using compromised credentials such as those exposed in third-party data breaches, and — in more advanced incidents — the exploitation of vulnerabilities in exposed hosts.

As such, organizations should continue to follow general counter-ransomware advice, such as having strong cybersecurity and data protection practices in place, limiting exposure to risk, and, should the worst happen, avoiding ransom payments to reduce the incentive for these groups to operate.

Overview

Having compromised a victim host, the HardBit ransomware payload is executed and performs a number of steps that reduce the security posture of the host before encrypting victim data.

Gathering information

In an attempt to evade analysis in the victim's sandbox environment, HardBit gathers information about the victim host via web-based enterprise management and Windows Management Instrumentation (WMI) functions.

Specifically, the ransomware gathers:

  • Details of installed hardware including the CPU, disk drives, and graphics card (video controller)
  • Network adapter settings, including the IP configuration and MAC address
  • System manufacturer and version from the BIOS
  • Victim username and computer name
  • Time zone information

Additionally, the Win32 API function BCryptGetFipsAlgorithmMode is called to determine if Federal Information Processing Standard (FIPS) 140 compliance is enabled.

If it is enabled, Windows would enforce the use of approved encryption schemes only, and by doing so, it's likely that the ransomware's own encryption methods would fail.

Although in this instance FIPS would prove somewhat beneficial, an article published by Microsoft in 2014 suggests that the setting is not recommend (for compatibility and performance reasons) unless you are using a U.S. government host and are therefore subject to their standards and requirements.

Icon configuration

The ransomware payload drops a custom HardBit file icon (Figure 2) into the victim's documents folder, which is used to add their branding to all encrypted files:

C:\Users\\Documents\hrdb.ico 
MD5: 31c0f6553c9407cc19e596eab41a553e 
SHA1: fc20063993ed2baaa24d41ad11c0f258bab5bd7f 
SHA256: b565a7b25dc4227872fe972ceee9ff8fce91eb10b373ebc9401f4f32348244ef 

Picture2-Feb-20-2023-01-54-28-4797-AM

Figure 2. HardBit icon

Subsequently, a class is registered within the Windows Registry to associate the file extension .hardbit with this dropped icon:

  • Key: HKEY_CURRENT_USER\Software\Classes\.hardbit2
    • Name: (Default)
    • Type: REG_SZ
    • Data:
  • Key: HKEY_CURRENT_USER\Software\Classes\.hardbit2\DefaultIcon
    • Name: (Default)
    • Type: REG_SZ
    • Data: C:\Users\\Documents\hrdb.ico

Additionally, this icon is temporarily set as the desktop wallpaper until it's replaced with an image containing details of the ransomware note. This temporary wallpaper configuration can be observed within the Windows Registry:

  • Key: HKEY_CURRENT_USER\Control Panel\Desktop
    • Name: Wallpaper
    • Type: REG_SZ
    • Data: C:\Users\\Documents\hrdb.ico

Lowering security posture

As a standard practice for most modern ransomware threats, HardBit performs a number of pre-encryption steps to lower the security posture of the victim host.

Volume Shadow Copy Service/backups

To thwart recovery efforts, the Volume Shadow Copy Service (VSS) is deleted using the Service Control Manager:

cmd.exe /C sc delete VSS

Subsequently, the Windows backup utility catalog is deleted, along with any shadow copies:

cmd.exe /C wbadmin delete catalog -quiet

cmd.exe /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete

Notably, the WMIC tool has fallen out of favor since the release of Windows 10 21H1, Windows Server 21H1, and Windows 11, and has been superseded by PowerShell to somewhat limit its abuse in cases like these.

Boot configuration

Given that many files are set to be encrypted, and therefore potentially causing errors when Windows is restarted, the boot configuration is edited to enable the “ignore any failures” option, while disabling the recovery option:

cmd.exe/C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

Windows Defender

Through a series of Windows Registry changes, many Windows Defender Antivirus features are disabled to prevent the detection and disruption of the ransomware process:

Disable tamper protection:

  • Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features
    • Name: TamperProtection
    • Type: REG_DWORD
    • Data: 0x00000000 (0)

Disable anti-spyware capabilities:

  • Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender
    • Name: DisableAntiSpyware
    • Type: REG_DWORD
    • Data: 0x00000001 (1)

Disable real-time behavioral monitoring:

  • Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
    • Name: DisableBehaviorMonitoring
    • Type: REG_DWORD
    • Data: 0x00000001 (1)

Disable real-time on-access (file) protection:

  • Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
    • Name: DisableOnAccessProtection
    • Type: REG_DWORD
    • Data: 0x00000001 (1)

Disable real-time process scanning:

    • Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
      • Name: DisableProcessModel
      • Type: REG_DWORD
      • Data: 0x00000001 (1)

Finally, the PowerShell cmdlet Get-MpPreference is executed to output any configured Windows Defender preferences:

"powershell" Get-MpPreference -verbose

Service termination

The termination of services is a common ransomware technique and is an attempt to decrease the chances of detection and recovery, as well as ensuring files are not locked open by application processes.

As expected, the Windows net stop command is executed for a list of some 86 services (Appendix B) covering many common applications, data backup/recovery tools, and end-point security solutions:

net.exe stop  /y

Persistence

To ensure that the HardBit ransomware payload is automatically executed whenever the system is rebooted, a version is copied to the victim's “Startup” folder, if not already present:

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe

To evade casual detection, the executable filename mimics the legitimate service host executable file, svchost.exe.

Encryption phase

Having determined the available drives and volumes on the victim machine, the HardBit ransomware payload will maneuver through all directories and files to locate data for encryption.

Files set for encryption are opened and then overwritten, likely to thwart file recovery efforts versus less-sophisticated threats that write encrypted data to a new file and delete the original.

Once encrypted, the file will be renamed with a seemingly random file name followed by an identifier: a contact email address and the hardbit2 file extension. For example:

t24rabqh28.[id-0E6CDAEB00103218].[threatactor@example.tld].hardbit2

Subsequently, a plain text ransom note (Appendix A) and a HTML application (HTA) ransom note (Figure 3) will be written to the drive root and all folders containing encrypted files:

  • How To Restore Your Files.txt
  • Help_me_for_Decrypt.hta

Picture3-4

Figure 3. HardBit HTA ransom note

Once the encryption process has completed, an image file (Figure 4) is saved on the victim's desktop:

C:\Users\\Desktop\HARDBIT.jpg

 

Picture4-3

Figure 4. HardBit image file note

To ensure the victim is made aware of the current situation, the hardbit.jpg image file is set as the system wallpaper via a Windows Registry update:

Disable real-time process scanning:

  • Key: HKEY_CURRENT_USER\Control Panel\Desktop
    • Name: Wallpaper
    • Type: REG_SZ
    • Data: C:\Users\\Desktop\HARDBIT.jpg

Finally, the HTA ransom note is executed to display interactive content, including clickable hyperlinks, using the Microsoft HTA application:

C:\Windows\SysWOW64\mshta.exe "C:\Users\\AppData\Local\Temp\readme-warning.hta"

Indicators of compromise

The following indicators of compromise (IOC) are associated with HardBit 2.0:

Threat actor contacts:

  • alexgod5566@xyzmailpro[.]com
  • filetest@decoymail[.]net
  • filetest@onionmail[.]org
  • godgood55@tutanota[.]com

Dropped files:

  • HARDBIT.jpg - SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
  • Help_me_for_Decrypt.hta
  • How To Restore Your Files.txt
  • README.txt
  • hrdb.ico - SHA256: b565a7b25dc4227872fe972ceee9ff8fce91eb10b373ebc9401f4f32348244ef
  • HardBit 2.0 samples (for research purposes, new payloads will likely have different cryptographic hashes):
  • SHA256: 422e0e4e01c826c8a9f31cb3a3b37ba29fb4b4b8c4841e16194258435056d8a3
  • SHA256: a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992
  • SHA256: cb239d641cfa610b1eaf0ecd0f48c42dd147f547b888e4505297c4e9521d8afe
  • SHA256: fafbe16c5646bf1776dd3ef62ba905b9b2cb0ee51043859a2f3cdda7dfe20d4c

Appendix A: ransom note



                                                                    _   _  _____  ___    ___    ___    _  _____  

                                                                   | | ( )|  _  ||  _ \ (  _ \ (  _ \ (_)(_   _) 

                                                                   | |_| || (_) || (_) )| | ) || (_) )| |  | |   

                                                                   |  _  ||  _  ||    / | | | ||  _ ( | |  | |   

                                                                   | | | || | | || |\ \ | |_) || (_) )| |  | |   

                                                                   (_) |_||_| |_||_| (_)(____/ (____/ |_|  |_|   

                                                                                                            

                                                                              ¦¦¦¦¦HARDBIT RANSOMWARE¦¦¦¦¦ 

---- 

what happened? 

All your files have been stolen and then encrypted. But don't worry, everything is safe and will be returned to you. 

 

---- 

How can I get my files back? 

You have to pay us to get the files back. We don't have bank or paypal accounts, you only have to pay us via Bitcoin. 

---- 

How can I buy bitcoins? 

You can buy bitcoins from all reputable sites in the world and send them to us. Just search how to buy bitcoins on the internet. Our suggestion is these sites. 

>>https://www.binance.com/en<< >>https://www.coinbase.com/<< >>https://localbitcoins.com/<< >>https://www.bybit.com/en-US/<< 

---- 

What is your guarantee to restore files? 

Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. 

To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you.  

That is our guarantee. 

---- 

How to contact with you? 

 

Or contact us by email:>>godgood55@tutanota.com<< or >>alexgod5566@xyzmailpro.com<< 

---- 

How will the payment process be after payment? 

After payment, we will send you the decryption tool along with the guide and we will be with you until the last file is decrypted. 

---- 

What happens if I don't pay you? 

If you don't pay us, you will never have access to your files because the private key is only in our hands. This transaction is not important to us, 

but it is important to you, because not only do you not have access to your files, but you also lose time. And the more time passes, the more you will lose and 

If you do not pay the ransom, we will attack your company again in the future. 

---- 

What are your recommendations? 

- Never change the name of the files, if you want to manipulate the files, make sure you make a backup of them. If there is a problem with the files, we are not responsible for it. 

- Never work with intermediary companies, because they charge more money from you. For example, if we ask you for 50,000 dollars, they will tell you 55,000 dollars. Don't be afraid of us, just call us. 

---- 

Very important! For those who have cyber insurance against ransomware attacks. 

Insurance companies require you to keep your insurance information secret, this is to never pay the maximum amount specified in the contract or to pay nothing at all, disrupting negotiations. 

The insurance company will try to derail negotiations in any way they can so that they can later argue that you will be denied coverage because your insurance does not cover the ransom amount.  

For example your company is insured for 10 million dollars, while negotiating with your insurance agent about the ransom he will offer us the lowest possible amount, for example 100 thousand dollars,  

we will refuse the paltry amount and ask for example the amount of 15 million dollars, the insurance agent will never offer us the top threshold of your insurance of 10 million dollars.  

He will do anything to derail negotiations and refuse to pay us out completely and leave you alone with your problem. If you told us anonymously that your company was insured for $10 million and other 

important details regarding insurance coverage, we would not demand more than $10 million in correspondence with the insurance agent. That way you would have avoided a leak and decrypted your information.  

But since the sneaky insurance agent purposely negotiates so as not to pay for the insurance claim, only the insurance company wins in this situation. To avoid all this and get the money on the insurance,  

be sure to inform us anonymously about the availability and terms of insurance coverage, it benefits both you and us, but it does not benefit the insurance company. Poor multimillionaire insurers will not  

starve and will not become poorer from the payment of the maximum amount specified in the contract, because everyone knows that the contract is more expensive than money, so let them fulfill the conditions  

prescribed in your insurance contract, thanks to our interaction. 

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 
 

 

 

 

 

Your ID :<16-CHAR_HEX>, <16-CHAR_HEX> 

 

Your Key : 

Appendix B: service terminations

      • ##WID
      • AcronisAgent
      • AcrSch2Svc
      • ARSM
      • avpsus
      • backup
      • BackupExecAgentAccelerator
      • BackupExecAgentBrowser
      • BackupExecDiveciMediaService
      • BackupExecJobEngine
      • BackupExecManagementService
      • BackupExecRPCService
      • BackupExecVSSProvider
      • bedbg
      • BMR Boot Service
      • CAARCUpdateSvc
      • CASAD2DWebSvc
      • ccEvtMgr
      • ccSetMgr
      • Culserver
      • dbeng8
      • dbsrv12
      • DefWatch
      • Exchange
      • FCS
      • FishbowlMySQL
      • Intuit
      • Intuit.QuickBooks.FCS
      • McAfeeDLPAgentService
      • memtas
      • mepocs
      • mfewc
      • MSExchange
      • MSExchange$
      • msftesql
      • msmdsrv
      • vMSSQL
      • MSSQL$
      • MSSQL$KAV_CS_ADMIN_KIT
      • MSSQL$MICROSOFT
      • MSSQL$MICROSOFT##SSEE
      • MSSQL$SBSMONITORING
      • MSSQL$SHAREPOINT
      • MSSQL$VEEAMSQL2012
      • MSSQLFDLauncher$SBSMONITORING
      • MSSQLServerADHelper100
      • MVArmor
      • MVarmor64
      • MySQL57
      • NetBackup BMR MTFTP Service
      • PDVFSService
      • QBCFMonitorService
      • QBFCService
      • QBIDPService
      • QBVSS
      • QLADHLP
      • QuickBooks
      • RTVscan
      • SavRoam
      • sophos
      • sql
      • sqladhlp
      • sqlagent
      • SQLAgent$KAV_CS_ADMIN_KIT
      • SQLAgent$SBSMONITORING
      • SQLAgent$SHAREPOINT
      • SQLAgent$VEEAMSQL2012
      • sqlbrowser
      • SQLBrowser
      • Sqlservr
      • SQLWriter
      • stc_raw_agent
      • svc$
      • tomcat6
      • veeam
      • VeeamDeploymentService
      • VeeamNFSSvc
      • VeeamTransportSvc
      • vmware
      • vmware-converter
      • VSNAPVSS
      • vss
      • WSBExchange
      • YooBackup
      • YooIT
      • zhudongfangyu

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Try Varonis free.
Get a detailed data risk report based on your company’s data.
Deploys in minutes.
Keep reading
security-vulnerabilities-in-apex-code-could-leak-salesforce-data
Security Vulnerabilities in Apex Code Could Leak Salesforce Data
Varonis' threat researchers identified high- and critical-severity vulnerabilities in Apex, a programming language for customizing Salesforce instances.
outlook-vulnerability-discovery-and-new-ways-to-leak-ntlm-hashes
Outlook Vulnerability Discovery and New Ways to Leak NTLM Hashes
Varonis Threat Labs discovered a new Outlook exploit and three new ways to access NTLM v2 hashed passwords.
taking-microsoft-office-by-
Taking Microsoft Office by "Storm"
The “Storm-0978” ransomware group is actively exploiting an unpatched Microsoft Office and Windows HTML remote code execution vulnerability.
imposter-syndrome:-ui-bug-in-visual-studio-lets-attackers-impersonate-publishers
Imposter Syndrome: UI Bug in Visual Studio Lets Attackers Impersonate Publishers
Varonis Threat Labs found a bug in Microsoft Visual Studio installer that allows an attacker to impersonate a publisher and issue a malicious extension to compromise a targeted system