The latest version of Hardbit ransomware encrypts data without first copying it, buying valuable time for the operation. Operators then initiate a curious negotiation by demanding to know, from the victim, the details of the insurance policy against which to construct the ransom demand

Like most malware threats of this type, Hardbit, upon first entering the victim’s network, exfiltrates sensitive data in plaintext. This step occurs before running the payload that will do the encryption. Hardbit eliminates shadow copies of files and implements encryption by directly overwriting the original files, thus saving computation time.

At this point, the malware renames the encrypted files by assigning a contact email address and the extension “.hardbit2” to the name. It also deposits, in each folder containing encrypted files, a ransom note in text files and the same copy in HTML as well. Hardbit seeks the victim’s support, at this stage, to carry out an action with a higher degree of conviction. In fact, when it finds out that the victim has an insurance policy in place to cover damages caused by ransomware, it tries to find out, by asking the victim for the details of the coverage offered.

At this point, it will make a ransom demand in line with what the policy stipulates, assuming and passing the message to the victim that the company, will be required to cover and compensate for the damage, with a benefit to the criminal group and no loss to the affected company. The only debt will at this point be on the insurance company, which will bear the entire burden of the attack.