Cybersecurity researchers have uncovered the latest evolution of HardBit Ransomware in version 4.0, featuring sophisticated obfuscation techniques designed to evade detection. This updated variant introduces passphrase protection, a new layer of security that requires a specific passphrase during runtime for the ransomware to execute effectively. According to analysis by Cybereason researchers Kotaro Ogino and Koshi Oyama, this enhancement poses challenges for security analysts attempting to dissect its operations and mitigate its impact on affected systems.
Unlike its predecessors, HardBit 4.0 does not operate a data leak site but instead employs double extortion tactics, compelling victims to pay ransom under threat of future attacks. The ransomware group communicates primarily through the Tox instant messaging service, and its initial access vectors are suspected to involve brute-force attacks on Remote Desktop Protocol (RDP) and Server Message Block (SMB) services. Once inside a system, HardBit 4.0 utilizes tools like Mimikatz and NLBrute for credential theft and Advanced Port Scanner for network reconnaissance, enabling lateral movement across compromised networks.
Upon deployment, HardBit 4.0 employs the Neshta file infector virus to encrypt files on victim machines. It also disables Microsoft Defender Antivirus and terminates critical processes to evade detection. The ransomware modifies file icons, changes desktop wallpapers, and alters system volume labels to signify compromise. The ransomware is available in both command-line and graphical user interface (GUI) versions, with the GUI variant supporting a wiper mode that irreversibly erases files and wipes disks, contingent upon an authorization ID and decryption key provided by the attackers.
As ransomware attacks continue to escalate in frequency and sophistication throughout 2024, with prominent families like LockBit and Akira dominating the landscape, cybersecurity experts stress the importance of robust defense measures and proactive threat detection strategies. Palo Alto Networks’ Unit 42 Incident Response report underscores the rapid exploitation of known vulnerabilities in public-facing applications as a favored tactic among ransomware groups. This trend highlights the critical need for organizations to strengthen their cybersecurity postures and stay abreast of evolving threats to safeguard sensitive data and infrastructure effectively.
Reference:
