Chained by ransomware

HardBit ransomware tailors ransom to fit your cyber insurance payout

Ransomware authors are wading into the cybersecurity insurance debate in a somewhat peculiar way. Specifically: urging victims to disclose details of their insurance contract, in order to tailor a ransom which will be beneficial to the company under attack.

HardBit 2.0: dismantling a device piece by piece

The ransomware, called HardBit 2.0, has been in circulation since sometime around November last year. Although there is no specific information as to how it arrives on a network, once it gets there is performs typical ransomware operations:

  • Encrypts files, branding them with the file’s custom logo
  • Gathers system/network data
  • Reduces overall security of affected systems
  • Disables recovery options and tamper protection, turns off multiple Windows Defender features, and interferes with several other security features including real time monitoring and Windows services related to backups like the Volume Shadow Copy Service.

What does the encryption warning message say?

HardBit 2.0 encrypts files and presents the following infection message on compromised desktops:

All your important files are stolen and encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, please send your ID for us.

Our contact information is written in the file “How to restore your files”.

You have 48 hours to contact or pay us. After that, you will have to pay double.

Please do not touch the key written under the help file in any way.

Just like Mortal Kombat ransomware, the attackers ask those who are hijacked to use Tox Messenger to communicate. The authors claim to steal data as well as encrypt it, although there’s no dedicated leak site to exploit this particular angle. In this case, it may be that most organisations targeted by the group would be too distracted by their “unique” approach to ransom demands to care.

A helping hand?

We’ve seen ransomware authors claim to care about their victims in the past. Some ransomware groups will remove themselves from impacted entities such as hospitals or critical services once those stories go public. Your mileage may vary with regard to whether this is a face saving PR move, or if they genuinely care about having going a little bit too far.

Here, they’re going out of their way to “help” by quizzing victims about the specifics of their cyber insurance policy. According to Varonis, there’s no outright demand for Bitcoin or another form of cryptocurrency. In its place is a long, rambling ransom note.

The note explains at length that their final ransom demand will be adjusted to ensure it falls inside of the insurance claim requirements. It paints the insurer as some sort of bad actor wanting to withhold money from the victim. If the scammers are told in private what the insurance total is, they’ll be able to ensure their demand for money is

A) at the top end limit of the ransom payout scale provided and

B) does not go past this limit, so the affected company receives every cent they’ve paid out. This is designed to be a mutually beneficial deal for both parties, as victim and attacker will receive as much as they possibly can.

There is, of course, no guarantee that the ransomware authors won’t use the reveal of potentially confidential insurance information against the victim at a later date. Anyone presented with this choice is really the living breathing definition of crossing some fingers and hoping for the best.

Malwarebytes detects this threat as Trojan.Crypt.Generic.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Write an incident response plan. The period after a ransomware attack can be chaotic. Make a plan that outlines how you’ll isolate an outbreak, communicate with stakeholders, and restore your systems.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.