HardBit seeks to extort cryptocurrency in exchange to unencrypt an organization’s data. (Suttipun/Adobe Stock Images)
Another ransomware group has emerged to threaten organizations, and they're very interested in your insurance plan.What sets the HardBit group apart from the others is not its ransomware or TTPs — threat research published Feb. 20 by Varonis said it's unknown how the group gains initial access to victim networks — but rather the request for victims to tell them the maximum amount their insurance will cover for a ransom payment so they can demand the same amount.In an image posted by Varonis threat researchers to their blog, the ransom note makes an appeal to the victim to stick it to the insurance company “since the sneaky insurance agent purposefully negotiates so as not to pay for the insurance claim, only the insurance company wins in this situation."“To avoid all this and get the money on the insurance, be sure to inform us anonymously about the availability and terms of insurance coverage, it benefits both you and us, but it does not benefit the insurance company.”
An image by Varonis shows part of a ransom note by HardBit asking a victim for insurance details. (Varonis)First observed in October, an updated version of HardBit ransomware was discovered by Varonis in late November. The group does not currently have a leak site. One cybersecurity expert contacted by SC Media said it was fascinating to see ransomware gangs evolve their business models. As insurers have adapted to price out the costs of paying a ransom versus recovery, cybercriminals are adapting their demands to ensure they get paid and don't go over that limit.“Ransomware gangs are businesses,” said Mike Parkin, senior technical engineer at Vulcan Cyber. “They are illegal and unethical, but they are businesses nonetheless.” The biggest challenge to fighting ransomware are nation-states that continue to shelter and support the criminal operations, Parkins continued, adding that the groups will continue to evolve until there is effective cooperation in the international law enforcement community.Melissa Bischoping, director of endpoint security at Tanium, cautioned victims not to share details of their insurance with threat actors since it may result in a denied claim. “As threat actors begin to view insured victims as a guaranteed payment source, I’d expect and hope to see regulation and/or legislation to prevent abuse of the system such as HardBit’s tactics,” said Bischoping.See Varonis’ post for more technical information about HardBit 2.0 and indicators of compromise.
An In-Depth Guide to Ransomware
Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.
Despite a year-over-year and quarter-over-quarter increase in active ransomware operations, organizations claimed to have been compromised by ransomware gangs have dropped by 22.9% between the first and second quarter of 2025, reports CRN.
U.S. multinational doughnut and coffeehouse chain Krispy Kreme has been filed with a class action lawsuit alleging its negligence in a November data breach by the Play ransomware gang that affected 161,676 individuals, Cybernews reports.
Cybernews reports that popular Chicago-based classical music radio station WFMT had its systems claimed to have been compromised by the Play ransomware operation, which has already leaked a portion of the pilfered data.
