New HardBit Ransomware 4.0 Uses Passphrase Protection to Evade Detection

New HardBit Ransomware 4.0 Uses Passphrase Protection to Evade Detection



Cybersecurity researchers have shed light on a new version of a ransomware strain called HardBit that comes packaged with new obfuscation techniques to deter analysis efforts.

"Unlike previous versions, HardBit Ransomware group enhanced the version 4.0 with passphrase protection," Cybereason researchers Kotaro Ogino and Koshi Oyama said in an analysis.

"The passphrase needs to be provided during the runtime in order for the ransomware to be executed properly. Additional obfuscation hinders security researchers from analyzing the malware."

HardBit, that first emerged in October 2022, is a financially motivated threat actor that, similar to other ransomware groups, operates with an aim to generate illicit revenues via double extortion tactics.

What makes the threat group stand out is that it does not operate a data leak site, and instead pressurizes victims to pay up by threatening to conduct additional attacks in the future. Its primary mode of communication occurs over the Tox instant messaging service.

The exact initial access vector used to breach target environments is currently not clear, although it's suspected to involve brute-forcing RDP and SMB services.
Ransomware activity continues to "remain on an upward trend" in 2024, with ransomware actors claiming 962 attacks in the first quarter of 2024, up from 886 attacks reported year-over-year. LockBit, Akira, and BlackSuit have emerged as the most prevalent ransomware families during the time period, Symantec said.

According to Palo Alto Networks' 2024 Unit 42 Incident Response report, the median time it takes to go from compromise to data exfiltration plummeted from nine days in 2021 to two days last year. In almost half (45%) of cases this year, it was just under 24 hours.

"Available evidence suggests that exploitation of known vulnerabilities in public-facing applications continues to be the main vector for ransomware attacks," the Broadcom-owned company said. "Bring Your Own Vulnerable Driver (BYOVD) continues to be a favored tactic among ransomware groups, particularly as a means of disabling security solutions."