The new ransomware strain, dubbed Hardbit 2.0, has appeared in the cybercriminal landscape and was observed by researchers from the end of 2022 and this year. This ransomware variant is a new version of Hardbit, which spread through different targets last year.
Hardbit 2.0 is still developing but has already displayed unique capabilities. The researchers claimed that this new version of Hardbit opens the files and overwrites its content with encrypted data.
This feature is very different from its first version, which encrypts the data of file copies and deletes the original.
The Hardbit 2.0 now includes evasive features.
According to investigations, the Hardbit 2.0 includes multiple evasion abilities like modifying the Registry to deactivate Windows Defender’s real-time behavioural monitoring, on-access file protections, and process scanning.
Moreover, the new variant collects different sets of information such as disk drive data, CPU details, MAC address, system manufacturer, computer name, network adapter settings, IP configuration, and usernames.
The researchers also noted that the new variant showcases a new negotiation tactic. The ransomware operators urge their victims to reveal the details of their cyber insurance policies so that they can adjust their demands depending on the policy.
The threat actors used this strategy to let the insurance company cover all the expenses and avoid intermediaries’ involvement. Then, the victims will receive a 48-hour deadline to contact the attackers, who utilise an open-source chat program.
Researchers discovered the Hardbit ransomware in October of last year. This group targeted organisations and extorted crypto payments in exchange for encrypted data.
Cybersecurity experts claimed that these actors are desperate to profit since they have leveraged the cyber insurance company policies and put the victims in a favourable position. However, organisations should avoid sharing insurance data since they could lose the opportunity to claim damages from the insurance company.
As of now, potential victims of these new ransomware operations should only report the incidents to relevant individuals and refrain from accommodating the needs of the threat actors.
