New HardBit 2.0 Ransomware Tactics Target Insurance CoverageHackers Demand Info on Victim's Cyber Insurance Policy to Negotiate Ransom Demand
A newly uncovered ransomware group is employing previously unseen extortion tactics - demanding to know the victim's cyber insurance coverage - to extort millions of dollars in ransom.
The HardBit ransomware group was first discovered by security researchers in October 2022. The operators of a newer version of the ransomware, dubbed HardBit 2.0, are now demanding details about the victim's insurance policy before making the ransom demand, security researchers at Varonis, who uncovered the malware, say in a recent report.
"Be sure to inform us anonymously about the availability and terms of the insurance coverage."
– HardBit 2.0 hacker message
In what appears to be a tactic to demand higher payouts from victims, the group claims the information is needed because insurers often fail to meet the claim demand made by the victims. The group also says that if the victims discloses the details of their cyber insurance privately, it will not demand any more than $10 million, which they say would be a "win-win" situation for both the victims and the hackers.
Varonis provided an example of a HardBit 2.0 message to a victim: "Since the sneaky insurance agent purposely negotiates so as to not pay for the ransom, only the insurance companies win in this situation. To avoid all of this, be sure to inform us anonymously about the availability and terms of the insurance coverage."
Other than the unique ransom extortion technique displayed by the hackers, Varonis researchers say the capabilities of the latest ransomware are no different from other variants. Although the researchers remain unclear about the hacker's initial access vector, they suggest that HardBit 2.0 is most likely deploying tried-and-tested measures of targeting employees with phishing lures, using their compromised credentials or exploiting old vulnerabilities for data exfiltration.
Once successfully compromised, the hackers first gather system information and disable antivirus checks. They then proceed to deploy the malware for encrypting the targeted files, the report says.