HardBit 4.0 Ransomware Exploits Open RDP and SMB Services to Establish Persistent Access
HardBit ransomware has evolved into a formidable threat to organizations globally. The latest iteration, HardBit 4.0, represents a significant advancement over its predecessors, introducing sophisticated features and refined techniques designed to evade detection and maintain control over compromised systems.
Unlike many ransomware groups that employ double extortion tactics by leaking stolen data, HardBit operators focus exclusively on encryption-based ransom demands. This approach underscores their reliance on the effectiveness of their encryption methods to compel victims into compliance.
Initial Access and Attack Vector
The attack sequence initiated by HardBit 4.0 begins with the exploitation of vulnerable network entry points. Analysts from Picus Security have identified that HardBit 4.0 actors gain initial access through brute-force attacks targeting open Remote Desktop Protocol (RDP) and Server Message Block (SMB) services. By systematically attempting numerous password combinations, attackers can breach systems with weak or default credentials.
Once access is secured, the attackers prioritize credential harvesting to facilitate lateral movement within the network. This strategy enables them to expand their control and identify high-value targets for encryption.
Deployment Mechanism
HardBit 4.0 employs a multi-stage deployment strategy that enhances its stealth capabilities. Central to this approach is the use of Neshta, a file-infecting virus dating back to 2003, repurposed as a dropper to deliver and execute the HardBit 4.0 payload. This method allows the ransomware to bypass traditional antivirus detection, as Neshta modifies executable files and establishes persistence through registry manipulation.
The deployment process unfolds in four distinct steps:
1. Extraction: Upon execution, Neshta reads its own binary file to extract the HardBit payload from specific memory offsets.
2. Decryption: It then decrypts the HardBit header and body, reconstructing the ransomware binary.
3. Execution: The decrypted payload is written to the system’s temporary directory and launched using legitimate Windows execution functions.
4. Persistence: To ensure the malware’s longevity, Neshta copies itself to the system root directory as a hidden file and modifies registry keys. This manipulation ensures that whenever a user attempts to run any executable file, the malware executes first.
Defense Evasion Techniques
HardBit 4.0 incorporates aggressive defense evasion tactics aimed at neutralizing security software:
– Registry Modification: The malware alters multiple Windows Registry entries to disable critical Windows Defender features, including Real-Time Monitoring, Tamper Protection, and Anti-Spyware capabilities.
– Obfuscation: The binary is obfuscated using a modified version of the ConfuserEx protector, complicating reverse engineering efforts and analysis by security professionals.
– Passphrase Protection: A unique feature of HardBit 4.0 is its passphrase protection mechanism, requiring specific authorization keys at runtime. This measure prevents accidental or automated sandbox detonation, thereby concealing the malware’s behavior from security researchers.
Mitigation Strategies
Organizations can bolster their defenses against HardBit 4.0 by implementing the following measures:
– Monitor Network Activity: Regularly monitor for unusual RDP and SMB activity, which may indicate unauthorized access attempts.
– Strengthen Credential Management: Enforce strong, unique passwords and implement multi-factor authentication to reduce the risk of brute-force attacks.
– Isolate Backups: Maintain updated backup systems that are isolated from network access to ensure recovery options remain available and inaccessible to attackers.
By adopting these proactive strategies, organizations can enhance their resilience against the evolving threat posed by HardBit 4.0 ransomware.
