VTA-004489 – HardBit Ransomware 4.0 with Passphrase Protection and Advanced Evasion Techniques
In 2022, HardBit Ransomware released version 4.0, focusing on data theft, encryption, and ransom demands rather than using leak sites or double extortion techniques. Researchers discovered that HardBit uses passphrase protection to evade security, communicates through the TOX messaging system, and employs techniques similar to LockBit Ransomware. These techniques include brute-forcing RDP and SMB, and stealing credentials with Mimikatz and NLBrute tools. They also use network discovery tools like Advanced Port Scanner and KPortScan 3.0, and download programs from the Farsi file-sharing website picofile[.]com. Before encrypting data, the ransomware requires an authorization ID and encryption key, disables Windows Defender, stops services, and prevents system recovery, ensuring long-term infection with the Neshta virus.
HardBit ransomware works by unpacking its code, infecting files, and manipulating system settings to make sure it runs successfully and is hard to remove. It selectively encrypts files, updates infected machines, and uses encrypted email contacts, all while hiding its code with a special tool. The ransomware has a user interface that offers two modes: ransom and wiper, with the wiper mode needing extra authorization through a file named hard.txt. Over its versions 2.0, 3.0, and 4.0, HardBit has become more advanced and harder to detect.
Severity:
Medium
Attack Surface:
Email, Endpoint, File Storage
Tactics:
Techniques:
T1003 – OS Credential Dumping
T1021 – Remote Services
T1027 – Obfuscated Files or Information
T1046 – Network Service Scanning
T1047 – Windows Management Instrumentation
T1059 – Command and Scripting Interpreter
T1110 – Brute Force
T1140 – Deobfuscate/Decode Files or Information
T1485 – Data Destruction
T1486 – Data Encrypted for Impact
T1489 – Service Stop
T1490 – Inhibit System Recovery
T1562 – Impair Defenses
T1135 – Network Share Discovery
T1056 – Input Capture
T1566 – Phishing
T1547 – Boot or Logon Autostart Execution
T1569 – System Services
Indicator of Compromise:
https://otx.alienvault.com/pulse/6698161c7910c932045c070b
References:
1. https://cofense.com/blog/new-malware-campaign-targeting-spanish-language-victims/
SuperPRO’s Threat Countermeasures Procedures:
1. Turn on Application Control to prevent malicious files from running and create strict application whitelisting policies to allow only trusted applications to run..
2. Enable Predictive Ransomware Protection.
3. If Predictive Ransomware Protection isn’t available, use Anti-Ransomware instead.
4. Activate Variant Payload Prevention in Prevent mode on your security solution.
5. Ensure patching and updating of all software and systems to close known security gaps periodically.
6. Monitor for and immediately investigate the presence of known malware and indicators.
Contributed by: Eddy Leong