What's happened?

A new strain of the HardBit ransomware has emerged in the wild. It contains a protection mechanism in an attempt to prevent analysis from security researchers.

HardBit? I think I've heard of that before.

Quite possibly. HardBit first emerged in late 2022, and quickly made a name for itself as it attempted to extort ransom payments from corporations whose data it had encrypted.

That doesn't sound unusual. What made HardBit different?, and demand that 

You're right. In many ways, HardBit is like other ransomware. It is a ransomware-as-a-service (RaaS) operation made available - at a price - to other online criminals. Malicious hackers break into your IT systems, encrypt your data and demand a cryptocurrency ransom be paid. However, unlike many other ransomware groups operating today, HardBit does not appear to operate a leak site on the dark web.

If they don't have a leak site, do they leak your data?

It seems that they don't. Instead, they appear to concentrate on extorting a ransom in exchange for a decryption key so affected organisations can recover their files. In addition, the group threatens to launch further attacks against victims if its demands are not met. 

So, if they don't appear to have a leak site on the dark web, how are you supposed to negotiate the ransom payment?

The ransom note left behind by HardBit asks victims to make contact via TOX, an open-source peer-to-peer secure messaging platform.

And if you don't make contact...?

You are unlikely to find a way to decrypt your data, and your company risks being attacked again. HardBit also warns that the ransom demand will increase if contact is not made within 48 hours.

So the pressure is on...

Yes, HardBit clearly means business like many other ransomware gangs. The group has reinforced that in the past by encouraging its corporate victims to anonymously disclose the amount and terms of their cybersecurity insurance, arguing that sharing the information would benefit both attackers and victims - but not the insurance companies themselves.

You mentioned there is a new strain of HardBit. Anything particularly noteworthy about it?

Yes, security researchers have reported that HardBit 4.0 has been designed to be harder for malware experts to analyse. The new version of HardBit incorporates passphrase protection. When the ransomware is run, a passphrase has to be entered correctly in order for it to execute properly. The intention appears to be to make it more difficult for researchers who do not know the passphrase to analyse how the ransomware works. In addition, HardBit 4.0 comes in two flavours: a command-line version of the ransomware and another version that has a user interface. It appears that the option is being offered to make the ransomware more attractive to operators with different technical skill levels.

Ransomware deliberately making itself more attractive to criminals doesn't sound like a great development...

I agree! Follow our recommendations on how to protect your organisation from attack.