CREATED ON December 20, 2025

HardBit 4.0 Ransomware Analysis

HardBit is a ransomware strain that has been evolving since its emergence in 2022 [1]. Unlike its predecessors and many contemporary groups, HardBit does not currently operate a data leak site for double extortion.

The latest iteration, HardBit 4.0, introduces significant enhancements in obfuscation and operational flexibility. Unlike its predecessors, this version utilizes the Neshta file infector as a dropper mechanism to evade detection. Furthermore, it implements a passphrase protection mechanism, requiring specific authorization keys at runtime for proper execution, a tactic designed to hinder analysis by security professionals.

The malware is distributed in two distinct formats: a Command Line Interface (CLI) version and a Graphical User Interface (GUI) version. This dual approach likely caters to operators with varying levels of technical proficiency. Notably, HardBit 4.0 includes a "Wiper" mode, allowing operators to destroy data rather than encrypt it, provided specific configuration parameters are met.

How Does HardBit Ransomware Work?

The Lateral Movement Pipeline

While the precise initial infection vector is unknown, evidence suggests that the threat actors likely establish a foothold through brute-force attacks against open RDP (via the NLBrute tool) and SMB services. Following initial access, credential theft is performed to facilitate lateral movement.

The attackers utilize a custom batch script, typically delivered in an archive (e.g., 111.zip), to deploy Mimikatz. This script, !start.bat, executes Mimikatz to dump credentials and saves the output to a file named Result.txt. The following batch script demonstrates how Mimikatz is invoked to harvest logon passwords and credentials [2]:

cd /d %~dp0

md !logs
if %PROCESSOR_ARCHITECTURE%==AMD64 (

.\mimikatz\x64\mimikatz.exe "privilege::debug" "log .\!logs\Result.txt" "sekurlsa::logonPasswords" "token::elevate" "lsadump::sam" exit
.\mimikatz\x32\mimikatz.exe "privilege::debug" "log .\!logs\Result.txt" "sekurlsa::logonPasswords" "token::elevate" "lsadump::sam" exit

) else (.\mimikatz\x32\mimikatz.exe "privilege::debug" "log Result.txt" "sekurlsa::logonPasswords" "token::elevate" "lsadump::sam" exit)

.\mimikatz\miparser.vbs .\!logs\Result.txt

During the network discovery and lateral movement phase, the attackers retrieved and executed a specific set of scanning utilities to identify vulnerable targets. They employed KPortScan 3.0 to actively hunt for open RDP ports (3389) and utilized Advanced Port Scanner to conduct broad reconnaissance across the network. To further expand their access, the threat actors deployed 5-NS new.exe to enumerate available network shares. Following discovery, lateral movement is achieved largely through RDP using the harvested credentials [2].

HardBit Ransomware Analysis

The Neshta Dropper

The delivery of HardBit 4.0 is facilitated by Neshta, a file-infecting virus that has been active since 2003. In HardBit attacks, Neshta serves as a dropper for the ransomware payload. Upon execution, it performs the following four steps to deploy HardBit [2]:

Read: Opens its own binary and reads data from offset 0xB121F (HardBit header) and offset 0xA200 (HardBit body).
Decrypt: Decrypts the HardBit header.
Drop: Writes the reconstructed HardBit binary to the %TEMP% directory.
Execute: Launches the dropped ransomware binary via ShellExecuteA.

Neshta also establishes persistence by copying itself to %SYSTEMROOT%\svchost.com and modifying the registry HKLM\SOFTWARE\Classes\exefile\shell\open\command to run this file whenever an .exe file is opened [2].

Defense Evasion

The HardBit binary is a .NET executable obfuscated using Ryan-_-Borland_Protector Cracked v1.0, which is believed to be a modified version of the open-source ConfuserEx [2].

HardBit also aggressively disables security controls, specifically targeting Windows Defender through Registry modifications and PowerShell commands. The malware modifies the following registry keys to disable Real-Time Monitoring, Tamper Protection, and Anti-Spyware features [2]:

# Disables Tamper Protection.
HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection

# Disables Anti-Spyware.
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware

# Disables Behavior Monitoring.
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring

# Disables On-Access Protection.
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection

# Disables Real-Time Scanning.
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable

Following registry updates, the malware executes Set-MpPreference with a comprehensive list of parameters like DisableBlockAtFirstSeen and DisableScriptScanning to further cripple Windows Defender.

Passphrase Protection

A distinct feature of HardBit 4.0 is the requirement for an authorization ID at runtime. Without this, the ransomware will not execute, complicating automated sandbox analysis.

The execution process involves several components provided by the attackers [2]:

RSA Decoder: A tool used to decode the authorization ID.
Private.txt: Contains the private key required by the decoder.
id_authorization.txt: Contains the encoded authorization ID.

The operator uses the RSA Decoder, inputs the Private Key and the Encoded Authorization ID, and receives a decoded string. Then, it is passed as an argument to the ransomware binary. The operator must also provide an encryption key. This process is represented below:

hardbit.exe
Enter your argument: [Decoded_Authorization_ID]
Enter your encryption key: [Encryption_Key]

Impact and Encryption

To ensure files are not locked by active processes, HardBit stops a vast array of services using net.exe stop [2].

net.exe stop DefWatch /y
net.exe stop "Symantec System Recovery" /y
net.exe stop ##WID /y
net.exe stop ARSM /y
net.exe stop AcrSch2Svc /y
net.exe stop AcronisAgent /y

HardBit also systematically removes recovery options to prevent data restoration without payment [2].

bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
vssadmin delete shadows /all /quiet
wbadmin delete catalog -quiet
wmic shadowcopy delete

By default, the malware encrypts files, updates the file icons to a HardBit-specific icon, and changes the desktop wallpaper to a ransom notice.

Uniquely, the HardBit GUI version includes a "Wiper" mode. This feature is likely an optional add-on sold to operators. It is activated via a configuration file named hard.txt containing a specific authorization ID. When enabled, the interface changes from "Encrypt" to "Wipe," and execution results in permanent data destruction rather than encryption [2].

How Picus Simulates HardBit Ransomware Attacks?

We also strongly suggest simulating HardBit Ransomware Attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other ransomware variants, such as HybridPetya, Yurei, BlackNevas, and CyberVolk, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for the HardBit Ransomware Campaign:

Threat ID	Threat Name	Attack Module
83232	HardBit 2.0 Ransomware Download Threat	Network Infiltration
43877	HardBit 2.0 Ransomware Email Threat	Network Infiltration
36087	HardBit 3.0 Ransomware Download Threat	Network Infiltration
87265	HardBit 3.0 Ransomware Email Threat	E-mail Infiltration
40412	HardBit 4.0 Ransomware Download Threat	Network Infiltration
72598	HardBit 4.0 Ransomware Email Threat	E-mail Infiltration

Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.

Key Takeaways

HardBit 4.0 employs the Neshta file infector as a dropper to decrypt and launch the ransomware payload, establishing persistence by modifying the registry to run the malware whenever an executable file is opened.
A distinct "Wiper" mode is available in the GUI version of the malware, enabling operators to permanently destroy data rather than encrypting it, provided specific configuration parameters are active.
To hinder analysis by security professionals, the ransomware requires a specific authorization ID and encryption key at runtime; without these inputs, the binary will not execute.
Lateral movement involves the use of a custom batch script to execute Mimikatz for credential harvesting, alongside utilities like KPortScan 3.0 and Advanced Port Scanner to detect open RDP ports and network shares.
The malware aggressively targets Windows Defender by modifying registry keys to disable critical features such as Real-Time Monitoring, Tamper Protection, and Anti-Spyware, further using PowerShell to disable script scanning.
Prior to encryption, HardBit ensures maximum impact by stopping various security and backup services and removing recovery options via commands like vssadmin delete shadows and bcdedit.

HardBit is a ransomware strain that has been evolving since its emergence in 2022. The latest version, HardBit 4.0, introduces significant obfuscation enhancements and uses the Neshta file infector as a dropper. It is distributed in both Command Line Interface and Graphical User Interface formats. Notably, this strain does not currently operate a data leak site for double extortion.

HardBit 4.0 introduces major improvements in obfuscation and operational flexibility. It uses the Neshta file infector as a dropper to avoid detection and requires a specific runtime authorization key to execute. This version is available in both Command Line Interface and Graphical User Interface formats to suit different operator skill levels.

Neshta acts as a dropper for the ransomware payload in HardBit attacks. Upon execution, Neshta reads encrypted data from its own binary, decrypts the HardBit header, and drops the reconstructed ransomware file to the temporary directory. It then executes the payload and establishes persistence by modifying the registry to run whenever an executable file is opened.

No, unlike many other ransomware groups and its own predecessors, HardBit does not currently maintain a data leak site for double extortion. The group focuses on encryption and potential data destruction.

The malware aggressively disables security controls by modifying registry keys. It targets features such as Real Time Monitoring, Tamper Protection, and Anti-Spyware. After these registry updates, HardBit executes PowerShell commands with parameters like DisableBlockAtFirstSeen and DisableScriptScanning to further disable Windows Defender and prevent detection during encryption.

This mechanism requires a specific authorization ID to be entered at runtime. Without this key, the ransomware will not execute. This tactic is intended to hinder analysis by security professionals and complicate automated sandbox testing. Operators must use an RSA Decoder tool and a private key to generate the required argument for the malware.

The Picus Security Validation Platform allows users to test security controls by simulating HardBit Ransomware attacks. The Picus Threat Library contains specific threats for HardBit 2.0, 3.0, and 4.0, including Network Infiltration and Email Infiltration modules like Threat ID 40412 and 72598. Picus enables organizations to identify gaps and receive actionable mitigation insights through these real-life simulations.