New HardBit Ransomware 4.0 Variant Now Comes Enhanced with Password Protection 

Published on July 15, 2024
Written by:
Lore Apostol
Lore Apostol
Cybersecurity & Streaming Writer
Edited by:
Novak Bozovic
Novak Bozovic
Tech & VPN Content Specialist

The HardBit ransomware group enhanced version 4.0 now comes with passphrase protection, which Cybereason observed in the wild, with all the binaries packed by the Neshta virus. The HardBit binary provides an encoded authorization ID and a Private Key to decode it with the help of an RSA decoder binary.

The HardBit Ransomware-as-a-Service (RaaS) was first seen in 2022 and is used for financially motivated attacks. It usually exfiltrates and encrypts victims' data for ransom and threatens to conduct additional attacks.

There are CLI or GUI versions of the ransomware available, the latter being more intuitive for operators without strong technical skills. 

HardBit Ransomware GUI
Image source: Cyberreason

HardBit’s initial infection method is not well known, but security researchers believe threat actors use the brute force of an open RDP and SMB service due to multiple login failures from known brute-forcing IP addresses observed in the compromised environment. 

Then, they use the Windows credential dumping tool Mimikatz and the RDP brute-forcing tool NLBrute for lateral movement. They also deployed a malicious BAT script that has been observed in GoGoogle ransomware but did not execute NirSoft and LaZagne. 

Hardbit Propagration
Image source: Cyberreason

The threat actors retrieved the Advanced Port Scanner, the popular port scanning tool KPortScan 3.0, and malicious network shares scanning 5-NS new.exe network discovery tools from the Internet. The latter were previously employed by Dharma Ransomware, LockBit Ransomware, and Phobos Ransomware.

Neshta, a virus known to have been active since 2003, is responsible for delivering HardBit. HardBit is itself a .NET binary obfuscated by a popular packer used by Redline Infostealer and Cyborg ransomware. Security analysts believe it may be a custom version of the Open-Source .NET packer ConfuserEx.

The observed version of Neshta dumps the HardBit Ransomware binary into the %TEMP% directory with the same filename as the original Neshta binary. Once the dumping of HardBit Ransomware is complete, Neshta proceeds to execute HardBit Ransomware via ShellExecuteA. 

Hardbit Propagration
Image source: Cyberreason

HardBit contains features to disable Windows Defender’s Tampering Protection, Anti-Spyware, and Real-Time monitoring by updating registries. 

This ransomware group shares similarities such as name, group image, fonts, and ransom notes with LockBit ransomware, and security experts believe the latter may have served as an inspiration for HardBit.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: