Robin Hood’s cryptographer or how HardBit declared war on insurance companies

Greetings! Today we’ll talk about the HardBit ransomware, which has been a nightmare for the entire global community for quite some time. Having appeared in October last year, the malware has already caused enormous damage to the global community. The criminals behind this virus are distinguished by their atypical approach to business. They personally contact each victim and determine the ransom amount. It is also noteworthy that if the victim has insurance, then the attackers demand only the amount for which the insurance is calculated.

Previously, the malware was not active in the CIS countries, but has now begun its accelerated spread. Yes, recently Solar JSCON company recorded several requests from Russian customers affected by HardBit. Information about the victims remains confidential. But Solar reports that the ransom demanded is about $25,000.

As mentioned earlier, the ransomware was first discovered in October 2022. This version was called HardBit 1.0 and was relatively simple, both in terms of device and encryption algorithm.

But already in November 2022, a new version appears online. Nobody really bothered with the naming, so it was called HardBit 2.0. And here everything was much more complicated for a very simple reason. The second version is several times superior not only to its predecessor, but also to most modern ransomware: an advanced encryption method, serious anti-analysis methods and theft of data backups.

It’s worth explaining, if anyone didn’t know this: before encrypting a file, most modern lockers send it to the attackers’ C&C server. Thus, if the victim stored materials on his compromised device that under no circumstances should end up on the network, the criminal notices this and, after decrypting the originals, contacts the victim and demands money from him for non-distribution. A kind of double extortion.

But unlike his colleagues, no leaks of victims’ confidential information were discovered on Hardbit’s part.

And after that we are greeted by silence. Hardbeat continues its moderate spread, but practically does not develop at all. This trend continued until March 2023. If I remember everything correctly, then somewhere around this time it appears on the Internet LockBit Green (3.0) and takes all the attention. Perhaps it was precisely because of this lack of attention that the malware managed to make such a big deal. After all, after a few months, the entire information space of foreign media will be flooded with news from Hardbeat.

As mentioned earlier, ransomware authors have an unhealthy love for insurance companies. We will not build conspiracy theories, saying that some offended insurance individual imagined himself to be Robin Hood and began to rob in the name of the common people, but we will not exclude such a possibility. So, foreign insurance companies were simply shocked by what was happening and eventually even began to refuse to pay the ransom to the attackers, leaving the affected users to fend for themselves.

And criminals cleverly use the fact of the unreliability of insurance companies to their advantage. I quote a fragment of text from the HardBit note:

“Because the cunning insurance agent deliberately negotiates and delays the process to avoid paying the ransom, in this situation only the insurance companies win, and you lose your data. To avoid all this, be sure to inform us anonymously about the availability and conditions of insurance coverage.”

And in fact, I sit and am amazed at this interesting approach to extortion, which on a subconscious level attracts the victim to the attacker. “We don’t want your money, let’s rob the insurance company.”

The delivery methods of the malware are still not clearly defined: some sources claim that attackers have created an entire phishing network for company employees, while others believe that the virus uses zero-day vulnerabilities to spread. I am more inclined to the first option and think that there are elaborate, perhaps even individual phishing letters at work here. Let’s assume that delivery occurs using a similar method as Covid ransomware Punchisher. Let me remind you that it used a detailed letter with original seals and signatures, allegedly from the ministries of health, which provided access to a fake program for monitoring Covid-19 activity. You can read more details here.

In this article, we will analyze the newest version of this malware. Why not all three? But because this is a fairly new encryptor and the number of samples is very limited. I was lucky enough to find only versions 2.0 and 3.0 in the public domain, respectively.

HardBit 3.0: Brief Statistical Analysis

List of tools used for analysis:

1. DIE – Detect it Easy: a multifunctional tool with a huge arsenal. Allows us to get ahead of the malware’s compiler type, language, libraries and import/export tables, followed by disassembly.

2. PE Bear is a good tool for viewing and editing the components of a PE file.

3. Tiny Tracer is a utility for dynamically tracking the execution of binary elements. The so-called tracer.

4. IDA PRO is a reverse engineering tool.

5. Reko is a decompiler, also familiar to us from previous articles.

6. HollowHunter is a utility that recognizes and resets many potentially malicious implants (replaced/implanted PE, shellcodes, interceptors, memory patches).

So, before our eyes there is an executable .exe file weighing 354 KB, which is not very much for a ransomware. When viewing the details we see the following picture:

Yes, these are attempts to disguise the malware as a legitimate Windows process, in this case Svchost, but what is most surprising is the original file name. According to the classics, we will use DIE to get more information about the file. And at that moment I wanted to cry. Besides the fact that this is a 32-bit PE executable written in .NET, there are as many as three protectors.

.NET Protector is software for protecting applications developed on the .NET platform. It is designed to protect application code and resources from unauthorized access, copying, or modification. .NET Protector can be used by software developers to strengthen the security of their applications and protect intellectual property.

Another interesting thing is the changed compilation date. Many people already know this method and it is called TimeStomping.

Timestomping (or timestamping) is a method used by attackers to change the timestamps of files in order to hide information or deceive the system. This is a technique that allows the creation, modification, or access dates of files to be changed so that their appearance and metadata may be distorted.

Of course, I was glad that the malware was a .NET library, because they are, in essence, the end result of compiling C# code. Fortunately, we can easily decompile this sample using the DNspy utility and analyze the clean source code, or at least something close to it. At least, this would be the case if not for three protectors unknown to me.

As per tradition, the sample was uploaded to VirusTotal and we received the following detection rates:

Incredibly, 60 out of 70 antiviruses see this file as a threat.

Well, let’s figure it out further. We switch to DNSPy and we are immediately greeted by an orgy. The entry point is not defined, and when viewing existing functions we see this:

Copywriting of one of the protectors or deliberate misleading of us, because this Ryan’s Facebook page does not exist at all. Further more, now we see this picture:

To turn all this into relatively readable code, you have to do a whole lot of manipulation. We’ll start with the first obfuscator.

DNGuard HVM – removing the first layer of protection

DNGuard HVM (High-Level Virtual Machine) is a fairly old tool for protecting and obfuscation of .NET applications. It provides .NET developers with a means to harden the security of their code and protect it from unauthorized access and attacks on intellectual property. DNGuard HVM includes various techniques such as High-Level Virtual Machine to make code analysis and modification more difficult for attackers. But its main feature remains anti-debugging and anti-dumping, total encryption of all information in the module and very successful counteraction to static and dynamic analysis.

This protector is our worst enemy in today’s analysis.

But this problem can be solved. To begin with, I decided to try to launch the debugger, and luck smiled at me. We managed to find the entry point of the application; this information will be extremely useful in subsequent stages. But then the debugger produced the error “Error, DNGuard Runtime library loaded!” and the process was interrupted, which is natural. An attempt to attach the execution of the malware to another process and thus trace at least an approximate order of execution also fails.

Actually, maybe I don’t know everything, but the .NET library is built on the principle of cross-platform IL code, which is stored in metadata, from where it is loaded as each method or function is executed. Many obfuscators, including DNGuard, replace IL code decryption procedures, thereby causing an unprecedented orgy in such reverse utilities as DNSPy. This was described very roughly and concisely, read more in detail here.

Fortunately for us, not a single compiler, even if there are three of them, is capable of completely replacing the decryption stream and, ultimately, the data is still transferred to mscorlib.ni.dll. And it can be intercepted using some simple debugger, which is what we will actually do. There is simply no other way here; the level and quality of DNGuard devirtualization is an order of magnitude higher than that of the same KOIVM with which we dealt before.

We will use x64dbg as a debugger. Let’s immediately load our sample and try to find out which string constants are used. Find the line ntdll.RtlUlonglongByteSwap in the list of loaded libraries and set a breakpoint on it and delete the default breakpoint. And now in the log we can find an approximate sequence of the malware’s operation, although very vague. it gives us little. I determined that the section responsible for redirecting the decryption flow is located at 772F309D, which means we need to separate it from the main part of the code. This is done by deleting this formation, at least I haven’t come up with another method other than writing NOP everywhere.

Now, to reduce the amount of time spent, we can use DNGuard Unpacker, which is something like a simple deobfuscator. But I strongly advise against using it: although it can make life easier, it is too tied to older versions of the .NET Framework and can produce less than ideal results.

But in our case, it worked perfectly: when viewing through DNSpy, you can see that the amount of garbage has decreased significantly, but there are still two more protectors ahead.

At this stage, I decided to stop my own torment with obfuscators and turned to a person who knows more about this. And there is no need to describe all this.

Directly HardBit 3.0

And at this stage I can clearly say that the latest version of this ransomware is clearly based on the previous one, since they have a lot of similarities.

The malware’s operating algorithm can be described in the following paragraphs:

1. Collect information and secure yourself in the system.

2. Communication with the C&C server and data transfer.

3. Direct encryption.

4. Covering up tracks.

Collecting information and securing yourself in the system

So, first the ransomware copies itself along the following path:

%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe

In simple terms, this is autoloading. A new key will also be created in the Windows registry that performs a similar function:

HKEY_CURRENT_USER\Software\Classes.hardbit3

Information about the system is collected through the use of system calls. So the NtBuildNumber call will provide information about the Windows build number, and the NtQueryPerformanceCounter call will provide information about the system characteristics.

It’s not very clear why, but the malware only runs on modern systems. I tried to run Hardbit 3.0 on Windows 7 and didn’t get any results. But version 2.0 works great.

A client_id value will then be generated, which will then be used as a password for the AES-256 CBC encryption algorithm. And also as an RSA key.

Next, Hardbit will check if the computer is connected to the Internet by simply pinging google.comand information is transferred using the send_data_to_c2 function.

Direct encryption

In fact, I was surprised by the simplicity of this ransomware. So far he hasn’t shown anything special. As mentioned earlier, Hardbeat uses the AES-256 CBC algorithm according to the PBKDF2 standard.

This process is a combination of various encryption and hashing techniques used to ensure data security, mainly in the context of data encryption in practice. Let’s look at each component separately:

AES (Advanced Encryption Standard) is a modern symmetric encryption algorithm that is widely used to protect data. AES-256 means that this algorithm uses 256-bit keys to encrypt and decrypt data.

CBC (Cipher Block Chaining) is the operating mode for the AES algorithm. In CBC mode, data is broken into blocks, and then each block is encrypted using the previous encrypted block. This provides an additional level of security.

PBKDF2 (Password-Based Key Derivation Function 2) is a function used to generate keys from passwords or other secret data. PBKDF2 is commonly used to strengthen passwords to make brute force (attempting to guess a password) more difficult. It takes input data (such as a password) and creates a cryptographic key from it by hashing it multiple times.

AES-256 CBC over PBKDF2 is a complex process, in simple terms it can be described as follows: the password is first passed through PBKDF2 hashing to create a strong key, which is then used to encrypt and decrypt the data using AES-256 in CBC mode.

It’s good when such methods are used to truly protect data, but when they are used to harm, it’s sad. By the way, a similar method was used by the MSI ransomware Magnibar, but that method was a little simpler.

The value of the Initialization Vector(IV) is the values ​​hard-coded in the code:

Initialization vector (IV) – the initialization vector is an arbitrary number that can be used together with a secret key to encrypt data.

Well, the encryption process is relatively simple: first, the key is initialized, which is carried out using the aes_l_levelkegen function, then the AESKEYGENASSIST instruction is used to help discover the key context. You can read about it here.

And after all this, the data block is loaded and encrypted in rounds using the AESEC function, described in more detail here. The process ends with the AESENCLAST instruction, and you can read about it here.

The types of data that the malware needs to encrypt are also hard-coded in the code itself:

arc asf avi bak bmp fla flv gif gz iso jpeg jpg mid mkv mov mpeg mpg paq png rar swf tar tbk tgz tif tiff vcd vmdk vob wav wma wmv zip.

After the encryption process, the malware will perform actions that are quite banal for its family, namely:

1. Setting a custom background image.

2. Placing a ransom note in all directories where encryption was performed and opening it.

(3.0 did not start on the virtual machine)

conclusions

Yes, this is only Hardbeat 3.0 analysis. Unfortunately, there is simply not enough space for the second version. The article is already quite extensive, so we’ll leave the second part for later.

At the moment, the HardBit 3.0 ransomware is detected by almost all antivirus applications, but I wouldn’t rely on that alone. After all, if attackers only slightly change the source code, no protection other than your head will help.

But what’s really encouraging is the good protection of the malware’s source code, which almost completely eliminates the possibility of “custom” modifications of this ransomware.

As for those who have already become victims of Hardbit, everything is quite simple. Solar has specially developed a decryptor for you. But this only works for versions 2.0 and 3.0, since they have a similar operating algorithm. The first version is not used by attackers and you are unlikely to become its victim.

The decryptor, as always, can be found on the portal NOMORERANSOM, there is an extremely simple interface, and it would be unnecessary to explain anything. To clean the system and completely remove the malware, I can recommend following instructions.

Author of the article @DeathDay

The UFO flew in and left a promotional code here for our blog readers:

— 15% on any VDS order (except for the Warm-up tariff) — HABRFIRSTVDS.