Interview with Hardbit Ransomware, a new group with great ambitions

Interview with Hardbit Ransomware, a new group with great ambitions 1

A few months ago some industry analysts and journalists had speculated that in 2022 the ransomware chapter would slow down, we would have far fewer attacks and victims than in 2021, nothing more wrong.

The only certain thing is that several groups have disbanded, but this has given rise to new groups, while for others it has only been a restyle. But overall the percentage of extortion attacks have not decreased, quite the contrary.

In a recent report published by Red Sense we can read that as far as the healthcare sector is concerned, there has been no slowdown, the number of healthcare facilities affected both in the U.S. which in Europe has not experienced any decline.

Hardbit Ransomware is a new group of cybercriminals who may be talking about themselves very soon, we contacted them through their qTox channel asking them some questions.

Here are our questions and his answers.

SuspectFile (SF) – The first Hardbit Ransomware file samples have been seen for the first time recently, does this mean that your group is also newly established?

Hardbit Ransomware (Support): We have been working with all kinds of ransomware for almost four years. We put useful features of all ransomware in hardbit

The Hardbit project has been in production for almost 3 years, and we tried to use the safest methods to encrypt files so that both the files remain completely safe and not decrypted, and we officially started working a few months ago.

SF – Do you consider yourself to be a politically linked ransomware group?

He did not reply

SF – Do you have a specific target regarding the victims? Do you pay more attention to a particular sector such as education, health, construction or is a victim “just a business” for you?

(Support): It’s just a business.

We do not attack places like hospitals, schools and universities. But if they are attacked, if they can prove it, they will be decrypted for free.

We bad people actually do favors to people. When we hack and encrypt them, they have to pay back and give us money. When they give us money, they will not repeat that mistake

SF – We have seen that, unlike many other groups, you release computer networks on infected PCs that you hit two known ransomware. Is there a reason why you chose this type of double communication with the victim?

(Support): In the help and hta files there is a main support ID and two emails that customers should contact. Clients should not ask me to decrypt because I don’t do it. They must agree and pay with the person in the email. Then receive the key from the same email.

SF – We have seen that in a part of your ransom note “How To Restore Your Files.txt”
(“Very important! For those who have cyber insurance against ransomware attacks.
Insurance companies require you to keep your insurance information secret, this is to never pay the maximum amount specified in the contract or to pay nothing at all, disrupting negotiations …. “),
you use the same text present in the ransom notes of the LockBit group. What can you tell us about this?

(Support): Yes, a complete text about insurance companies was written by lockbit, which we put in the ransomware

SF – Are the files on the victims’ PCs encrypted by adding the .hardbit extension. Does this apply to all the networks you have attacked so far?

(Support): Yes, the extension of all servers so far has been .hardbit, but it will soon become hardbit2

HardBit2 will be launched soon with new features

SF – Is it correct when we claim that Hardbit Ransomware uses Azorult spyware on victim’s PCs to retrieve information on victims’ login credentials?

He did not reply

SF – Besides phishing, does your group also use other ways to enter victims’ computer networks eg RDP, VPN …?

He did not reply

SF – In the ransom notes (wallpaper and .txt file) there are some of your contact details, e-mail and qTox. Don’t you use TOR, Telegram, forums like many other groups to list your victims?

He did not reply

SF – What are the victims you have hit so far, and what was the highest ransom you asked for?

(Support): Unfortunately, we cannot give you information about customers, but as I said, the price depends on their information, from a minimum of 5 thousand dollars. Decryption costs depend on the country, the type of company, the volume of data, etc

SF – is following cyber attacks in the healthcare sector very closely, can you tell us if you have hit a public or private hospital to date? If so, which one?

He did not reply

SF – Is Hardbit Ransomware a closed group or does it have affiliates (RaaS)?

(Support): We cannot give you information about partners.

SF – Many newspapers in the cybersecurity sector and many analysts claim that in 2022 the percentage of cyber attacks and the number of new ransomware groups has decreased, this analysis does not find agree, indeed we believe that the number of attacks on institutions public or private has grown enormously, as well as the birth of new groups also born from the dissolution of others such as Maze, REvil, Conti, BlackMatter just to name a few. What can you tell us about it? What is your opinion?

He did not reply

Finally, we asked him a direct question about the possible connections between them and the loss of LockBit code which occurred a few weeks ago

SuspectFile: I ask you if your group is “a consequence” of what happened on the recent LockBit code leak.

(Support): Of course not, lockbit didn’t pay the developer fee with millions of dollars in revenue. But we don’t do that ))

14.10.2022 Additional Statement of Hardbit Ransomware:

After the article was published, Hardbit Ransomware contacted us through qTox to point out that, according to him, we would have omitted a statement from him released during yesterday’s interview.

He asked us, intimated, to add it. If we had not done so, we should have, according to him, deleted the entire article. Nobody can tell us, force us, to write from dictation, I reiterated to Hardbit that SuspectFile is always available to review and correct any omissions or errors, as well as available to add any statements.

His statement obviously disagrees with SuspectFile, the money asked from victims in exchange for their data stolen during a cyber attack, is called in only one way: extortion.

Hardbit’s additional statement follows

We do not steal from anyone. The victim who pays the money will get 100% of their files back. If they are stolen, customers can contact me and when they can prove that they were stolen, they will receive the key for free and the person who stole from them will be fired