HardBit is a ransomware strain that has been evolving since its emergence in 2022 [1]. Unlike its predecessors and many contemporary groups, HardBit does not currently operate a data leak site for double extortion.
The latest iteration, HardBit 4.0, introduces significant enhancements in obfuscation and operational flexibility. Unlike its predecessors, this version utilizes the Neshta file infector as a dropper mechanism to evade detection. Furthermore, it implements a passphrase protection mechanism, requiring specific authorization keys at runtime for proper execution, a tactic designed to hinder analysis by security professionals.
The malware is distributed in two distinct formats: a Command Line Interface (CLI) version and a Graphical User Interface (GUI) version. This dual approach likely caters to operators with varying levels of technical proficiency. Notably, HardBit 4.0 includes a "Wiper" mode, allowing operators to destroy data rather than encrypt it, provided specific configuration parameters are met.
While the precise initial infection vector is unknown, evidence suggests that the threat actors likely establish a foothold through brute-force attacks against open RDP (via the NLBrute tool) and SMB services. Following initial access, credential theft is performed to facilitate lateral movement.
The attackers utilize a custom batch script, typically delivered in an archive (e.g., 111.zip), to deploy Mimikatz. This script, !start.bat, executes Mimikatz to dump credentials and saves the output to a file named Result.txt. The following batch script demonstrates how Mimikatz is invoked to harvest logon passwords and credentials [2]:
|
cd /d %~dp0 |
During the network discovery and lateral movement phase, the attackers retrieved and executed a specific set of scanning utilities to identify vulnerable targets. They employed KPortScan 3.0 to actively hunt for open RDP ports (3389) and utilized Advanced Port Scanner to conduct broad reconnaissance across the network. To further expand their access, the threat actors deployed 5-NS new.exe to enumerate available network shares. Following discovery, lateral movement is achieved largely through RDP using the harvested credentials [2].
The delivery of HardBit 4.0 is facilitated by Neshta, a file-infecting virus that has been active since 2003. In HardBit attacks, Neshta serves as a dropper for the ransomware payload. Upon execution, it performs the following four steps to deploy HardBit [2]:
Neshta also establishes persistence by copying itself to %SYSTEMROOT%\svchost.com and modifying the registry HKLM\SOFTWARE\Classes\exefile\shell\open\command to run this file whenever an .exe file is opened [2].
The HardBit binary is a .NET executable obfuscated using Ryan-_-Borland_Protector Cracked v1.0, which is believed to be a modified version of the open-source ConfuserEx [2].
HardBit also aggressively disables security controls, specifically targeting Windows Defender through Registry modifications and PowerShell commands. The malware modifies the following registry keys to disable Real-Time Monitoring, Tamper Protection, and Anti-Spyware features [2]:
|
# Disables Tamper Protection.
|
Following registry updates, the malware executes Set-MpPreference with a comprehensive list of parameters like DisableBlockAtFirstSeen and DisableScriptScanning to further cripple Windows Defender.
A distinct feature of HardBit 4.0 is the requirement for an authorization ID at runtime. Without this, the ransomware will not execute, complicating automated sandbox analysis.
The execution process involves several components provided by the attackers [2]:
The operator uses the RSA Decoder, inputs the Private Key and the Encoded Authorization ID, and receives a decoded string. Then, it is passed as an argument to the ransomware binary. The operator must also provide an encryption key. This process is represented below:
|
hardbit.exe |
To ensure files are not locked by active processes, HardBit stops a vast array of services using net.exe stop [2].
|
net.exe stop DefWatch /y |
HardBit also systematically removes recovery options to prevent data restoration without payment [2].
|
bcdedit /set {default} bootstatuspolicy ignoreallfailures |
By default, the malware encrypts files, updates the file icons to a HardBit-specific icon, and changes the desktop wallpaper to a ransom notice.
Uniquely, the HardBit GUI version includes a "Wiper" mode. This feature is likely an optional add-on sold to operators. It is activated via a configuration file named hard.txt containing a specific authorization ID. When enabled, the interface changes from "Encrypt" to "Wipe," and execution results in permanent data destruction rather than encryption [2].
We also strongly suggest simulating HardBit Ransomware Attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other ransomware variants, such as HybridPetya, Yurei, BlackNevas, and CyberVolk, within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for the HardBit Ransomware Campaign:
|
Threat ID |
Threat Name |
Attack Module |
|
83232 |
HardBit 2.0 Ransomware Download Threat |
Network Infiltration |
|
43877 |
HardBit 2.0 Ransomware Email Threat |
Network Infiltration |
|
36087 |
HardBit 3.0 Ransomware Download Threat |
Network Infiltration |
|
87265 |
HardBit 3.0 Ransomware Email Threat |
E-mail Infiltration |
|
40412 |
HardBit 4.0 Ransomware Download Threat |
Network Infiltration |
|
72598 |
HardBit 4.0 Ransomware Email Threat |
E-mail Infiltration |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.