Ransomware, Threat Management

This ransomware group wants you to double-cross your insurer

Ransomware on a laptop screen.

Another ransomware group has emerged to threaten organizations, and they're very interested in your insurance plan.

What sets the HardBit group apart from the others is not its ransomware or TTPs — threat research published Feb. 20 by Varonis said it's unknown how the group gains initial access to victim networks — but rather the request for victims to tell them the maximum amount their insurance will cover for a ransom payment so they can demand the same amount.

In an image posted by Varonis threat researchers to their blog, the ransom note makes an appeal to the victim to stick it to the insurance company “since the sneaky insurance agent purposefully negotiates so as not to pay for the insurance claim, only the insurance company wins in this situation."

“To avoid all this and get the money on the insurance, be sure to inform us anonymously about the availability and terms of insurance coverage, it benefits both you and us, but it does not benefit the insurance company.”

An image by Varonis shows part of a ransom note by HardBit asking a victim for insurance details. (Varonis)

First observed in October, an updated version of HardBit ransomware was discovered by Varonis in late November. The group does not currently have a leak site. 

One cybersecurity expert contacted by SC Media said it was fascinating to see ransomware gangs evolve their business models. As insurers have adapted to price out the costs of paying a ransom versus recovery, cybercriminals are adapting their demands to ensure they get paid and don't go over that limit.

“Ransomware gangs are businesses,” said Mike Parkin, senior technical engineer at Vulcan Cyber. “They are illegal and unethical, but they are businesses nonetheless.”  

The biggest challenge to fighting ransomware are nation-states that continue to shelter and support the criminal operations, Parkins continued, adding that the groups will continue to evolve until there is effective cooperation in the international law enforcement community.

Melissa Bischoping, director of endpoint security at Tanium, cautioned victims not to share details of their insurance with threat actors since it may result in a denied claim. 

“As threat actors begin to view insured victims as a guaranteed payment source, I’d expect and hope to see regulation and/or legislation to prevent abuse of the system such as HardBit’s tactics,” said Bischoping.

See Varonis’ post for more technical information about HardBit 2.0 and indicators of compromise.

Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.