HardBit 2.0 is a fairly standard ransomware strain, except that hackers do not directly ask their victims to pay a fixed price, but rather provide them with information about their insurance to know how much money is covered by it. this.
The avowed goal of hackers is to know how much to ask to get their money for sure. For this, they do not hesitate to portray insurers to their victims as obstacles to good negotiations and the recovery of their data.
An almost commonplace ransomware
According to a report by Varonis, HardBit is a ransomware that was first observed in October 2022. Since November 2022 however, the malware has been upgraded to what is referred to as its version 2.0, which is the one currently in circulation. HardBit behaves like classic ransomware: it encrypts files, and the group threatens to publish its victims’ data if the ransom is not paid. Some security is also disabled on the device to avoid detection.
Nevertheless, it has some peculiarities. Where some ransomware just appends the encrypted data to a new file and deletes the original, HardBit opens the files and modifies them directly, making it harder to recover. Moreover, even if the hackers indicate having recovered data that they threaten to disseminate, HardBit does not seem to have a site dedicated to the publication of this information for the moment. Its greatest peculiarity, however, comes from its ransom demand.
Insurance, an essential element of negotiation
When a device is infected with ransomware, a ransom note is displayed, sometimes indicating an amount in Bitcoin to be paid and instructions on how to make the payment. Sometimes hackers adjust the amount requested, depending on whether they are targeting individuals or large companies. But HardBit took another approach. Instead of asking for a specific amount, hackers invite victims to contact them on Tox encrypted messaging within 48 hours to discuss payment.
They also try to convince companies that have insurance that protects them in the event of a computer attack to tell them the amount covered by this insurance. According to them, thanks to this information, they would be able to request the right sum to force the insurers to pay, and thus, the hackers would obtain their money while the victims could find their files and avoid the risk of a leak. data.
Of course, malicious actors should never be trusted. Nothing says that once the sum is paid, the recovered data will be deleted and the decryption key will work properly. In the event of ransomware, you should above all not pay the ransom or try to negotiate with the attackers, but rather warn the competent authorities and plan upstream ways to secure your data, such as regular backups.
Sources: Neowin, BleepingComputer, Varonis
9