Latest Threat Research: LetMeowIn – Analysis of a Credential Dumper

Get Informed


Hardbit Ransomware Asks for Insurance Details

First identified in October 2022, Hardbit ransomware is out with version 2.0. Unlike most other ransomware operators at this time, the group does not feature a data leak website that can be used to threaten to leak victims data. Upon infection, the malware will work to lower the victims security by disabling Windows Defender is it is active. The malware also targets 86 processes for termination, to make sensitive files available for encryption. It establishes persistence by adding itself to the “Startup” folder, and deletes the Volume Shadow copies to make data recovery more difficult. After infection and encryption, the ransomware drops a note to the victim to inform them of the process to regain their files. What makes Hardbit unique is that they also ask the victim to share the details of their cybersecurity insurance if they have it. By doing this the group is able to set a ransomware payment within the terms of the insurance and improve the likelihood of a successfully receiving an extortion payment.

Analyst Notes

To protect against ransomware attacks, organizations should:
• Regularly back up data, air gap, and password protect backup copies offline.
• Ensure copies of critical data are not accessible for modification or deletion
• Implement network segmentation.
• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location
• Install updates/patch operating systems, software, and firmware as soon as possible
• Implement monitoring of security events on employee workstations and servers, with a 24/7 Security Operations Center to detect and respond to threats
• Use multifactor authentication where possible.
• Use strong passwords and regularly change passwords to network systems
• Avoid reusing passwords for multiple accounts.
• Focus on cyber security awareness and training.
• Regularly provide users with training on information security