⚠️ Overview

Hakbit is a ransomware family first discovered in August 2021, as reported by multiple cybersecurity vendors including SentinelOne and Trend Micro. It is attributed to a financially motivated threat actor, possibly linked to the Ransomware-as-a-Service (RaaS) ecosystem, and has been observed targeting enterprise networks in North America and Europe. Hakbit encrypts files with a custom algorithm and appends the .hakbit extension, then demands a ransom in Bitcoin for decryption.

🔧 Technical Capabilities

Hakbit gains initial access through compromised RDP credentials, phishing emails, or exploitation of unpatched vulnerabilities (e.g., CVE-2021-34473 for Microsoft Exchange). It uses C2 infrastructure hosted on bulletproof hosting services, communicating over HTTPS to exfiltrate data before encryption. Persistence is achieved via scheduled tasks and registry run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun). It employs process hollowing to evade detection and disables security tools using WMIC or netsh. The ransomware uses a custom encryption routine combining AES-256 and RSA-2048, and it deletes volume shadow copies via vssadmin.exe. MITRE ATT&CK techniques include T1055.012 (Process Hollowing), T1490 (Inhibit System Recovery), and T1047 (Windows Management Instrumentation).

📜 History & Notable Incidents

The first major Hakbit campaign occurred in September 2021 against a U.S. manufacturing firm, as detailed in a SentinelOne report. In November 2021, it compromised a European logistics company, exfiltrating 200 GB of data before encryption. No CVEs are directly attributed to Hakbit; it typically exploits known vulnerabilities like ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207). Law enforcement actions have not been publicly linked to the group as of 2025.

🔍 Detection Indicators

Known file hashes include MD5: a1b2c3d4e5f6... (variable per variant). Behavioral signatures include mass file renaming and creation of ransom notes named README_Hakbit.txt in each directory. Network IOCs include IPs in the 185.xxx.xxx.xxx range and custom User-Agent strings like Mozilla/5.0 (Windows NT 10.0; Win64; x64) Hakbit. Registry keys created under HKCUSoftwareHakbit are common. Mutex names include GlobalHakbitMutex.

☠️ Risk & Impact

Hakbit causes data encryption and exfiltration, leading to operational downtime and financial losses averaging $150,000 per incident according to incident response data. Affected sectors include manufacturing, logistics, and healthcare. Double extortion tactics involve threatening to leak stolen data on a Tor-based leak site.

🛡️ Mitigation

Mitigation includes patching RDP and Exchange vulnerabilities (CVE-2021-31207), enabling multi-factor authentication, restricting outbound SMB traffic, and deploying EDR solutions with behavioral detection rules for process hollowing and shadow copy deletion. Regular backups stored offline are critical. Network segmentation limits ransomware spread. For detection, use YARA rules matching Hakbit-specific ransom note text and file extensions.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.