“Ransomware has evolved significantly over the years, as groups have begun to focus on exfiltrating files from victim networks. Accessing these files and holding them for ransom as part of the “double extortion” tactic has given ransomware groups an opportunity to peek into an organization’s financials as well as their cyber insurance policies. While some groups are inclined to seek out the highest ransomware payment possible, many groups in the ransomware ecosystem seek to tailor their ransom demands to a value that the organization can pay.
“In the past, the Conti ransomware group instructed affiliates to seek out cyber insurance and security policy documents as part of the files they exfiltrate from the victim’s environment after a successful attack, likely to help tailor their ransom demands. However, to my knowledge, this is the first time a group (HardBit) has instructed a victim to explicitly share their cyber insurance details anonymously in order to prepare a viable ransomware demand to maximise the return on their investment while ensuring the least amount of friction possible during negotiations.
“While we’ve seen the extortion side of the ransomware ecosystem evolve over the years, it’s unclear if HardBit’s approach is one that other ransomware groups will adopt in the near future.” — Satnam Narang, Sr. Staff Research Engineer, Tenable