HardBit 4.0 | |
Type of Malware | Ransomware |
Date of Initial Activity | 2022 |
Addittional Names | HardBit |
Motivation | Financial Gain |
Attack Vectors | Phishing |
Targeted Systems | Windows |
Overview
HardBit Ransomware has emerged as a formidable threat in the landscape of cybercrime, rapidly evolving since its inception in October 2022. With the release of version 4.0, this ransomware variant demonstrates a marked sophistication in its techniques and execution strategies, making it a significant concern for organizations and individuals alike. HardBit distinguishes itself from other ransomware families not only through its unique communication methods but also by its advanced operational capabilities, which have been tailored to exploit vulnerabilities in various environments.
Targets
Information
How they operate
At the core of HardBit’s operation is its execution phase, where it leverages various tools and techniques to initiate its attack. Once deployed, the malware employs Windows Management Instrumentation (WMI) to disable backup systems. Specifically, it utilizes WMIC commands to delete backup catalogs, effectively eliminating any recovery options for victims. This initial step is critical, as it lays the groundwork for the subsequent encryption of files, ensuring that once data is compromised, recovery is an uphill battle. In tandem with WMI, HardBit also employs PowerShell and the Windows Command Shell to disable Windows Defender and modify system recovery options using BCEdit, further solidifying its foothold in the targeted environment.
Defense evasion is a key focus for HardBit, as it seeks to operate under the radar of traditional security measures. The malware utilizes obfuscation techniques to conceal its code, packed with the .NET obfuscator Ryan-_-Borland_Protector Cracked v1.0. This tactic makes it challenging for security solutions to detect and analyze the malware effectively. Additionally, HardBit employs methods to impair defenses by disabling security tools such as Windows Defender, ensuring that its encryption processes can occur without interruption.
Credential access is another significant aspect of HardBit’s operation. The malware employs techniques for OS credential dumping by executing a BAT script that runs Mimikatz, a well-known credential harvesting tool. This allows attackers to extract sensitive information from the target system, facilitating further exploitation. Furthermore, HardBit operators leverage brute force attacks using tools like NLBrute to gain unauthorized access via Remote Desktop Protocol (RDP), allowing them to traverse the network and compromise additional machines.
Once inside the network, HardBit employs various discovery techniques to map out the environment. The use of network service discovery tools such as Advanced Port Scanner and KPortScan 3.0 enables operators to identify active devices and services, allowing them to strategize their lateral movement effectively. This phase is crucial for maximizing the impact of the ransomware, as it enables operators to target high-value systems and data stores for encryption.
The impact of HardBit Ransomware is multifaceted, with a focus on both data encryption and destruction. By default, the malware encrypts files on targeted machines, rendering them inaccessible to users. However, it also features a wiper mode, which can completely erase data from the disk, intensifying the damage inflicted on victims. To ensure successful encryption, HardBit employs tactics such as stopping relevant services using the net.exe command and inhibiting system recovery by deleting shadow copies and backup catalogs. These actions create a dire situation for victims, as they are left with limited options for data recovery.
In conclusion, HardBit Ransomware 4.0 operates through a complex interplay of techniques that highlight its sophistication and potential for harm. From its initial execution and defense evasion to credential access and data destruction, each phase of its operation is meticulously designed to maximize impact while minimizing detection. Understanding the technical workings of HardBit is essential for organizations seeking to bolster their defenses against such relentless cyber threats. As ransomware continues to evolve, so too must our approaches to cybersecurity, underscoring the importance of proactive measures in safeguarding critical data and systems.
MITRE Tactics and Techniques
1. TA0002: Execution
T1047 – Windows Management Instrumentation: HardBit Ransomware inhibits system recovery by deleting backup catalogs via WMIC.
T1059.001 – Command and Scripting Interpreter: PowerShell: It spawns PowerShell to disable Windows Defender.
T1059.003 – Command and Scripting Interpreter: Windows Command Shell: It spawns CMD to disable recovery options via BCEdit.
2. TA0005: Defense Evasion
T1140 – Deobfuscate/Decode Files or Information: The HardBit Ransomware binary is packed with the .NET obfuscator Ryan-_-Borland_Protector Cracked v1.0, which is deobfuscated during runtime.
T1027.002 – Obfuscated File or Information: Software Packing: Neshta packs the HardBit Ransomware binary using the same obfuscation method.
T1562.001 – Impair Defenses: Disable or Modify Tools: HardBit disables Windows Defender to ensure successful encryption.
3. TA0006: Credential Access
T1003.001 – OS Credential Dumping: LSASS Memory: Operators utilize a BAT script that runs Mimikatz for credential dumping.
T1110 – Brute Force: NLBrute is used to conduct RDP brute force attacks.
4. TA0007: Discovery
T1046 – Network Service Discovery: Operators utilize Advanced Port Scanner and KPortScan 3.0 for network discovery within the corporate network.
5. TA0008: Lateral Movement
T1021.001 – Remote Service: Remote Desktop Protocol: RDP is abused for lateral movements within the victim’s network.
6. TA0040: Impact
T1485 – Data Destruction: The GUI version supports a wiper mode, which wipes the disk instead of encrypting files.
T1486 – Data Encrypted for Impact: By default, it encrypts target machines.
T1489 – Service Stop: It uses net.exe to stop relevant services to ensure successful encryption.
T1490 – Inhibit System Recovery: It inhibits system recovery by deleting shadow copies and backup catalogs, as well as disabling recovery options via various commands (BCDEdit, Vssadmin, WBAdmin, WMIC).