Cyber Crime

HardBit ransomware gang adjusts their demands so the insurance company would cover the ransom cost

Recently emerged HardBit ransomware gang adjusts their demands so the insurance company would cover the ransom cost.

The HardBit ransomware group first appeared on the threat landscape in October 2022, but unlike other ransomware operations, it doesn’t use a double extortion model at this time.

The gang threatens victims of further attacks if their ransom demands are not met. Once infected the network of an organization, the HardBit ransomware group instructs victims to contact them by email or via the Tox instant messaging platform.

The group made the headline because it seeks to negotiate with victims to reach a settlement.

"Very important! For those who have cyber insurance against ransomware attacks. Insurance companies require you to keep your insurance information secret, this is to never pay the maximum amount specified in the contract or to pay nothing at all, disrupting negotiations. The insurance company will try to derail negotiations in any way they can so that they can later argue that you will be denied coverage because your insurance does not cover the ransom amount. For example your company is insured for 10 million dollars, while negotiating with your insurance agent about the ransom he will offer us the lowest possible amount, for example 100 thousand dollars, we will refuse the paltry amount and ask for example the amount of 15 million dollars, the insurance agent will never offer us the top threshold of your insurance of 10 million dollars. He will do anything to derail negotiations and refuse to pay us out completely and leave you alone with your problem. If you told us anonymously that your company was insured for $10 million and other important details regarding insurance coverage, we would not demand more than $10 million in correspondence with the insurance agent. That way you would have avoided a leak and decrypted your information. But since the sneaky insurance agent purposely negotiates so as not to pay for the insurance claim, only the insurance company wins in this situation. To avoid all this and get the money on the insurance, be sure to inform us anonymously about the availability and terms of insurance coverage, it benefits both you and us, but it does not benefit the insurance company. Poor multimillionaire insurers will not starve and will not become poorer from the payment of the maximum amount specified in the contract, because everyone knows that the contract is more expensive than money, so let them fulfill the conditions prescribed in your insurance contract, thanks to our interaction." reads the ransom note.

It requests the victims to share details of their cyber insurance policies so that the cost of the ransom can be completely covered by the insurer company.

By revealing the exact insurance amount to the ransomware group, crooks can prevent the insurance company should negotiate lower ransom payments. Clearly, clients of insurers are contractually obliged not to disclose this amount to the ransomware gangs.

“Rather than specifying an amount of bitcoin requested within this ransom note, the group seeks to negotiate with victims to reach a settlement. Notably, as part of these negotiations, victims with cyber insurance policies are also encouraged to share details with HardBit so that their demands can be adjusted to fall within the policy.” reads the post published by Varonis.

In order to make it impossible for the victims to recover the encrypted files, the ransomware deletes the Volume Shadow Copy Service (VSS) using the Service Control Manager and the Windows backup utility catalog along with any shadow copies.

The researchers noticed that the malware encrypts many files, potentially causing errors when Windows is restarted. To avoid problems at the successive startup, the malware edits the boot configuration to enable the “ignore any failures” option and disable the recovery option.

To prevent Windows Defender Antivirus from blocking the ransomware process, it makes several Windows Registry changes to disable many Windows Defender features (i.e. tamper protection, anti-spyware capabilities, real-time behavioral monitoring, real-time on-access (file) protection, and real-time process scanning).

The ransomware achieves persistence by copying a version to the victim’s “Startup” folder, if not already present. The executable filename mimics the legitimate service host executable file, svchost.exe, to avoid detection.

The report from Varonis also includes indicators of compromise (IoCs) that help detect the malware.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, HardBit ransomware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

10 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

14 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

19 hours ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

22 hours ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

TheMoon bot infected 40,000 devices in January and February

A new variant of TheMoon malware infected thousands of outdated small office and home office…

2 days ago

This website uses cookies.