The HardBit ransomware gang has recently updated its ransomware to version 2.0 and has adopted a new tactic when extorting victims – Convincing them that it is in their best interests to disclose information about their cyber insurance policy. The operators try to find out how much the insurance company will cover and will set their ransom demand accordingly. The aim is to get the biggest payout possible and ensure the insurance company, rather than the victim, takes the financial hit.
The operators try to convince victims that the insurance companies are the bad guys since they try to negotiate ransom demands to get them significantly reduced, even though their insurance policies often cover the full amount. They explain to victims that those tactics often put their customers at risk, as playing hardball with ransomware gangs to lower ransom payments often results in stolen data being sold to other cybercriminals, released on data leak sites, or the ransomware gangs simply fail to provide the keys to decrypt data.
Their solution is for victims to anonymously provide details of their insurance policy, and the ransom demand will then be set accordingly, reassuring their victims that the “poor millionaire insurers will not starve.” This is a novel tactic from a relatively unconventional ransomware operation. The HardBit group does not engage in double or triple extortion tactics like most other ransomware gangs as the group does not operate a data leak site; however, the group does claim to steal data prior to encrypting files.
HardBit makes it harder for victims to recover without paying the ransom by searching for and deleting the Windows backup utility catalog and the Volume Shadow Copy Service and terminates other services used by backup and data recovery tools. The group also uses a somewhat atypical method for file encryption. Instead of encrypting files and deleting the originals, each file is opened, and the content is overwritten with encrypted data, which makes the encryption process faster.
Since many victims will be able to recover files from backups, victims are pressured into paying up to prevent further attacks. While the operators claim to be targeting insurance companies, disclosing details of insurance policies is a risk, as cyber insurance policies usually prohibit victims from sharing details of the policies with ransomware gangs, and if such a disclosure is discovered, the insurance company may decide not to pay the claim.
The cybersecurity firm Varonis has recently released a report providing technical details on the HardBit 2.0 ransomware variant and the group’s tactics, techniques, and procedures, along with IoCs to help network defenders identify and block attacks in progress.