The HardBit 2.0 ransomware group asks the company for cyber insurance information after a successful attack. The group wants to adjust their claims to the sum insured and pretends to be friendly.
Security researchers at Varonis Threat Labs warn of a new ransomware group that appears to be using a new extortion tactic: HardBit 2.0 tries to convince victims that it is in their best interest to disclose all insurance details so they can customize their claims that the insurer covers all costs.
Hackers: Together against the insurance
🔎 HardBit asks the victims for the sum insured (Image: Varonis).
HardBit was first observed in October 2022 and has been appearing under version 2.0 since November. Unlike most ransomware actors, HardBit does not have a leak site. Nonetheless, cyber criminals claim that they are stealing victims' data and threaten to make it public if no ransom is paid. HardBit 2.0 uses similar techniques and attack tactics as other ransomware groups, such as distributing malicious payloads to unsuspecting employees, using compromised credentials, and exploiting vulnerabilities in exposed hosts. What distinguishes this new group from well-known gangs is the blackmail tactic: The ransomware message to the victims does not contain a specific ransom demand, but a request to anonymously provide details about the insurance policy:
Request for the amount of damage
"If you anonymously tell us that your business is insured for $10 million and provide other important information about coverage, we will not ask for more than $10 million in correspondence with the insurance agent. That way you could avoid a leak and decrypt your information.”
It is not the cybercriminals, but the "insidious" insurance companies that are portrayed as opponents in this way. Accordingly, it is also in the interests of the victims to cooperate with the extortionists in this way: "But since the sneaky insurance agent deliberately negotiates in such a way that he does not pay for the insurance claim, only the insurance company wins in this situation.
In order to avoid all this and get the money from the insurance company, you should anonymously inform us about the conditions of the insurance cover. The poor multi-millionaire insurers will not starve and become poorer by paying the maximum amount stipulated in the contract. […] So, thanks to our cooperation, let them fulfill the conditions prescribed in your insurance contract.”
Data disclosure may terminate insurance coverage
As a rule, the insured are contractually obliged not to give the attackers any insurance data, as otherwise there is a risk that the damage will not be covered. That is why the cyber criminals insist that this data is shared anonymously. Their goal is and remains the extortion of money and affected companies are well advised not to trust them.
More at Varonis.com
About Varonis Since its founding in 2005, Varonis has taken a different approach than most IT security providers by placing company data stored both locally and in the cloud at the center of its security strategy: sensitive files and e-mails, confidential customer, patient and Employee data, financial data, strategy and product plans and other intellectual property. The Varonis data security platform (DSP) detects insider threats and cyber attacks through the analysis of data, account activities, telemetry and user behavior, prevents or limits data security breaches by locking sensitive, regulated and outdated data and maintains a secure state of the systems through efficient automation .,