HardBit 2.0 Ransomware
First detected in October 2022, HardBit is a ransomware threat that has been developed to target businesses and organizations, extorting victims with payments in the form of cryptocurrency for their data to be decrypted. This threatening software has since evolved into its second version, HardBit 2.0, which was observed towards the end of November 2022 and continued to spread throughout the later months of 2022 and beyond. This ransomware operates similarly to other modern variants by collecting sensitive data as soon as it infiltrates a network before launching its payload to encrypt all files on the system. Details about the threat and its damaging capabilities were released in a report by malware experts.
Table of Contents
The HardBit 2.0 Asks for Victims’ Cyber Security Insurance Details
Unlike many other ransomware cybergangs, HardBit's operators do not have a dedicated leak site, meaning victims are not threatened with the public exposure of their misappropriated data. However, the group does threaten further attacks should their demands not be met.
To contact the HardBit handlers, victims must use the predefined ransom note contained within the malware threat. This note encourages victims to contact them via email or the Tox instant messaging platform for negotiations regarding how much bitcoin they should pay for the decryption key. In addition to this, those with cyber insurance policies are asked to share details so that their demands can be adjusted accordingly.
The HardBit 2.0 Ransomware Deletes Backups and Undermines Devices’ Security
To avoid being analyzed in the victim's sandbox environment, the HardBit Ransomware collects information about the victim's host by utilizing web-based enterprise management and Windows Management Instrumentation (WMI) functions. The ransomware obtains various system details such as the installed hardware components, network adapter settings, as well as IP configuration and MAC address, the system's manufacturer and BIOS version, username and computer name and time zone information.
To establish their brand identity on encrypted files, the ransomware payload drops a custom HardBit file icon into the victim's documents folder. Furthermore, the ransomware registers a class within the Windows Registry to associate the file extension '.hardbit2' with the dropped icon.
As a common tactic employed by most modern ransomware threats, HardBit takes several pre-encryption measures to reduce the victim host's security posture. For instance, the Shadow Volume Copy Service (VSS) is deleted using the Service Control Manager to prevent recovery efforts. The Windows backup utility catalog is also removed, along with any Shadow copies, to thwart any recovery attempts.
To avoid detection and disruption of the ransomware process, various Windows Defender Antivirus features are disabled through a series of Windows Registry changes. These disabled features include tamper protection, anti-spyware capabilities, real-time behavioral monitoring, real-time on-access protection and real-time process scanning.
To ensure that the HardBit Ransomware payload runs automatically every time the system reboots, a version of the ransomware is copied to the victim's 'Startup' folder. If this file is not already present, the executable is renamed to mimic the legitimate service host executable file, 'svchost.exe,' to avoid being detected.
The Encryption Process and HardBit 2.0 Ransomware’s Demands
After determining the available drives and volumes on the victim's machine, the HardBit ransomware payload scans the identified directories and files to pinpoint any data for encryption. Files that have been selected for encryption are opened and then overwritten, which is a tactic used to hinder recovery efforts. This technique is used instead of writing encrypted data to a new file and deleting the original, which is a less sophisticated approach.
Once the files are encrypted, they are renamed with a seemingly random file name followed by an identifier that includes a contact email address, 'email@example.com,' and the '.hardbit2' file extension. Additionally, a plain text ransom note and an HTML application (HTA) ransom note are written to the drive root and all folders containing encrypted files. These ransom notes provide directions on how to pay the ransom dee and receive the decryption key.
Upon completing the encryption process, an image file is saved on the victim's desktop and set as the system wallpaper.
The text of HardBit 2.0 Ransomware's demands is:
All your files have been stolen and then encrypted. But don't worry, everything is safe and will be returned to you.
How can I get my files back?
You have to pay us to get the files back. We don't have bank or paypal accounts, you only have to pay us via Bitcoin.
How can I buy bitcoins?
You can buy bitcoins from all reputable sites in the world and send them to us. Just search how to buy bitcoins on the internet. Our suggestion is these sites.
>>https://www.binance.com/en<< >>https://www.coinbase.com/<< >>https://localbitcoins.com/<< >>https://www.bybit.com/en-US/<<
What is your guarantee to restore files?
Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests.
To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you.
That is our guarantee.
How to contact with you?
Or contact us by email:>>firstname.lastname@example.org<< or >>email@example.com<<
How will the payment process be after payment?
After payment, we will send you the decryption tool along with the guide and we will be with you until the last file is decrypted.
What happens if I don't pay you?
If you don't pay us, you will never have access to your files because the private key is only in our hands. This transaction is not important to us,
but it is important to you, because not only do you not have access to your files, but you also lose time. And the more time passes, the more you will lose and
If you do not pay the ransom, we will attack your company again in the future.
What are your recommendations?
- Never change the name of the files, if you want to manipulate the files, make sure you make a backup of them. If there is a problem with the files, we are not responsible for it.
- Never work with intermediary companies, because they charge more money from you. For example, if we ask you for 50,000 dollars, they will tell you 55,000 dollars. Don't be afraid of us, just call us.
Very important! For those who have cyber insurance against ransomware attacks.
Insurance companies require you to keep your insurance information secret, this is to never pay the maximum amount specified in the contract or to pay nothing at all, disrupting negotiations.
The insurance company will try to derail negotiations in any way they can so that they can later argue that you will be denied coverage because your insurance does not cover the ransom amount.
For example your company is insured for 10 million dollars, while negotiating with your insurance agent about the ransom he will offer us the lowest possible amount, for example 100 thousand dollars,
we will refuse the paltry amount and ask for example the amount of 15 million dollars, the insurance agent will never offer us the top threshold of your insurance of 10 million dollars.
He will do anything to derail negotiations and refuse to pay us out completely and leave you alone with your problem. If you told us anonymously that your company was insured for $10 million and other
important details regarding insurance coverage, we would not demand more than $10 million in correspondence with the insurance agent. That way you would have avoided a leak and decrypted your information.
But since the sneaky insurance agent purposely negotiates so as not to pay for the insurance claim, only the insurance company wins in this situation. To avoid all this and get the money on the insurance,
be sure to inform us anonymously about the availability and terms of insurance coverage, it benefits both you and us, but it does not benefit the insurance company. Poor multimillionaire insurers will not
starve and will not become poorer from the payment of the maximum amount specified in the contract, because everyone knows that the contract is more expensive than money, so let them fulfill the conditions
prescribed in your insurance contract, thanks to our interaction.
Your ID :
Your Key :'