FortiGuard Labs Threat Research
Ransomware Roundup — HardBit 2.0
On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.
This latest edition of the Ransomware Roundup covers the HardBit 2.0 ransomware.
Affected platforms: Microsoft Windows
Impacted parties: Microsoft Windows Users
Impact: Encrypts files on the compromised machine and demands ransom for file decryption
Severity level: High
HardBit 2.0 Ransomware
Overview
HardBit ransomware dates to at least October 2022, with the current 2.0 version having been released shortly thereafter, in November 2022. As is commonplace now, HardBit leverages the “double extortion” technique of encrypting the files of a victim for ransom and then backstopping that action with a threat to release sensitive information and data if the ransom is not paid.
HardBit 2.0 Ransomware Infection Vector
Information on the infection vector used by this group is not currently available. However, it is not likely to differ greatly from other ransomware groups.
HardBit 2.0 Ransomware Execution
Upon execution, HardBit 2.0 terminates processes and services to slow the potential detection of its activities. It then encrypts files of interest and renames them to something random followed by [id-XXXX].[contact email].hardbit2.
Figure 1. Files encrypted by HardBit 2.0
In each directory where files have been encrypted, an HTA file named “Help_me_for_Decrypt.hta” and a ransom note named “How To Restore Your Files.txt” are deposited.
Figure 2. HardBit JPEG and ransom note.
The ransom note contains an explanation of what has happened, a guarantee of recovery if payment is made, and e-mail addresses for contacting the attacker. Quite interestingly, there is no price specified in the ransom, ensuring a victim will have to contact the attacker to negotiate. Additionally, there is an entire paragraph on cyber insurance and the suggestion to undercut the provider by providing details of the insurance policy “anonymously”. This is (by their logic) a way to ensure their payment demands don’t exceed the maximum policy threshold so both the attacker and the policyholder get their payout.
Figure 3. The HardBit ransom note.
Figure 4. The paragraph in the ransom note regarding cyber insurance.
The HTA file is launched automatically once HardBit finishes encrypting the files on the host. It also provides a Tox ID with which to contact the attacker. Tox is an open-source, peer-to-peer instant messaging platform (https://en.wikipedia.org/wiki/Tox_(protocol)). It also has additional warnings indicating that if contact is not made within 48 hours, the ransom will double.
Figure 5. HTA file dropped after encryption.
On the Desktop, a JPEG image, “HARDBIT.jpg”, is dropped. This becomes the background for the compromised machine.
Figure 6. JPEG file dropped after encryption.
The image reiterates that the victim should refer to the “Help_me_for_Decrypt.hta” and “How To Restore Your Files.txt” files deposited in their system. It also explains that files were also exfiltrated and explicitly threatens to release them for sale or onward publishing if contact is not forthcoming.
Figure 7. Altered desktop background.
Fortinet Protections
Fortinet customers are already protected from this malware variant through FortiGuard’s Web Filtering, AntiVirus, and FortiEDR services, as follows:
FortiGuard Labs detects known HardBit ransomware variants with the following AV signatures:
- MSIL/Basic.2!tr.ransom
- W32/Generic.AC.171!tr
The FortiGate, FortiMail, FortiClient, and FortiEDR solutions all support the FortiGuard AntiVirus service. As a result, customers with up-to-date protections are protected.
IOCs
File-based IOCs:
SHA256 |
Malware |
422e0e4e01c826c8a9f31cb3a3b37ba29fb4b4b8c4841e16194258435056d8a3 |
HardBit 2.0 |
a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992 |
HardBit 2.0 |
cb239d641cfa610b1eaf0ecd0f48c42dd147f547b888e4505297c4e9521d8afe |
HardBit 2.0 |
fafbe16c5646bf1776dd3ef62ba905b9b2cb0ee51043859a2f3cdda7dfe20d4c |
HardBit 2.0 |
FortiGuard Labs Guidance
Due to the ease of disruption, damage to daily operations, potential impact to an organization’s reputation, and the unwanted destruction or release of personally identifiable information (PII), etc., it is vital to keep all AV and IPS signatures up to date.
Since the majority of ransomware is delivered via phishing, organizations should consider leveraging Fortinet solutions designed to train users to understand and detect phishing threats:
The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.
Our FREE NSE training: NSE 1 – Information Security Awareness includes a module on internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks and can be easily added to internal training programs.
Organizations will need to make foundational changes to the frequency, location, and security of their data backups to effectively deal with the evolving and rapidly expanding risk of ransomware. When coupled with digital supply chain compromise and a workforce telecommuting into the network, there is a real risk that attacks can come from anywhere. Cloud-based security solutions, such as SASE, to protect off-network devices; advanced endpoint security, such as EDR (endpoint detection and response) solutions that can disrupt malware mid-attack; and Zero Trust Access and network segmentation strategies that restrict access to applications and resources based on policy and context, should all be investigated to minimize risk and to reduce the impact of a successful ransomware attack.
As part of the industry's leading fully integrated Security Fabric, delivering native synergy and automation across your security ecosystem, Fortinet also provides an extensive portfolio of technology and human-based as-a-service offerings. These services are powered by our global FortiGuard team of seasoned cybersecurity experts.
Best Practices Include Not Paying a Ransom
Organizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom partly because payment does not guarantee that files will be recovered. According to a U.S. Department of Treasury's Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit activities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a Ransomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes Complaint Center (IC3).
How Fortinet Can Help
FortiGuard Labs’ Emergency Incident Response Service provides rapid and effective response when an incident is detected. And our Incident Readiness Subscription Service provides tools and guidance to help you better prepare for a cyber incident through readiness assessments, IR playbook development, and IR playbook testing (tabletop exercises).
Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard AI-powered security services portfolio.
