Operators of a new ransomware strain have been seen trying to encourage victims to pay the ransom demand by pitting them against their insurance companies.
The HardBit 2.0 variant has been seen carrying a few novel tricks up its sleeve, including a modified ransom note in which the attackers say that if their ransom demand is within the range covered by the insurance company, then that company is obliged to cover the costs of the cyberattack.
But the problem is, the crooks never know what the insurance details are, and the victims are contractually obliged to keep that information secret. Still, the crooks try to talk the victim into sharing that information, albeit privately.
Voiding the insurance contract
“To avoid all this and get the money on the insurance, be sure to inform us anonymously about the availability and terms of the insurance coverage, it benefits both you and us, but it does not benefit the insurance company,” the note says.
The note essentially shows insurance companies as the bad guys, and further tells the victims not to engage with intermediaries or third parties, as that would only drive up the costs.
Besides suggesting action that would void the insurance contract, the crooks made other changes to the ransomware strain, as well. Now, the malware is able to modify the endpoint’s Registry and disable Windows Defender real-time behavioral monitoring, process scanning, and on-access file protections, BleepingComputer reported. Furthermore, it tries to kill 86 processes to better encrypt sensitive files.
Lastly, it doesn’t write encrypted data to file copies and then delete the originals, but rather opens the files and overwrites the content with encrypted data. That, allegedly, makes the encryption process faster, and recovery more difficult.
Disclosing insurance detail is something no one can recommend. Instead, businesses would be better off educating their employees on the dangers of phishing and social engineering, installing a strong firewall and cybersecurity solution, and keeping their backups fresh.
Via: BleepingComputer (opens in new tab)