New Hunters International Ransomware Group Emerged as Possible Hive Rebrand

Hunters International, a new ransomware group, has obtained the source code and infrastructure from the now-defunct Hive operation to kick-start its operations in the threat landscape. According to a technical solutions director, it appears that the leadership of the Hive group made the strategic decision to cease operations and transfer their remaining assets to another group, Hunters International. Hive, a once-prolific ransomware-as-a-service (RaaS) organization, was shut down in January 2023 as part of a coordinated law enforcement effort. Even though it’s common for ransomware groups to regroup, rebrand, or dismantle their operations in the aftermath of seizures, the core developers may pass on the source code and other infrastructure in their hands to another threat actor.

Hunters International was mentioned as a prospective Hive rebrand last month after significant coding similarities were discovered between the two strains and has already claimed five victims. When examining the Hunters International sample more closely, a researcher noticed code overlaps and similarities that matched more than 60% of the code of Hive ransomware. However, the threat actors behind it have sought to debunk these rumors, claiming that they obtained the Hive source code and website from its developers. The group appears to have more emphasis on data exfiltration and all reported victims had their data exfiltrated, but not all of them have their data encrypted, which would indicate that Hunters International is more of a data extortion organization. The ransomware sample’s Rust-based roots are revealed by a cybersecurity company’s investigation, which is supported by Hive’s move to the programming language in July 2022 for improved resistance to reverse engineering. With the new group adopting the ransomware code, it appears that they’ve aimed for simplification.

The Hunters International’s encryptor attached the “.LOCKED” extension to the processed files. The malware leaves a plaintext file called “Contact Us.txt” in each directory with instructions for victims to contact the threat operator over Tor through a chat page protected by a login unique to each victim. The data leak site only has one victim, a school in the United Kingdom, from which the threat operators claim to have taken around 50,000 files containing information about students and teachers and network and online credentials. The Hunters International’s data leak site displays a series of statements, most likely to communicate to the public that they mean serious business and looking for victims to extort.

It’s uncertain whether Hive ransomware sold the source code to other threat operators, the group’s operations came to a halt after its Tor payment and data leak site were captured in an international operation. The FBI was able to disrupt the ransomware operation, which had 250 affiliates, after infiltrating the group’s infrastructure and monitoring the activities for six months, beginning in July 2022. The group infiltrated over 1,300 companies and received around $100 million in ransom payments, according to the FBI. The FBI’s actions enabled it to release over 1,300 decryption keys to Hive ransomware victims who had been encrypted both before and after the FBI acquired access to the threat operator’s environments.

In comparison to previous versions, they’ve decreased the number of command line options, streamlined the encryption key storage process, and made the malware less verbose. Aside from including an exclusion list of file extensions, file names, and directories to be excluded from encryption, the ransomware executes commands to prevent data recovery and terminate numerous processes that could potentially interfere with the operation. Even though Hive has been one of the most destructive ransomware groups, it remains to be seen whether Hunters International will be just as, if not more, dangerous. The group emerged as a new threat actor with a sophisticated toolbox, ready to demonstrate its capabilities, but must first demonstrate its competence before it can attract high-caliber affiliates.

With new ransomware groups emerging from rebranded groups, including Hunters International, companies need to be alert to the current threat landscape and regularly update their security software on their data networks. At SpearTip, our certified engineers are continuously monitoring companies’ data networks for potential ransomware threats at our 24/7/365 Security Operations Center and are ready to respond to incidents at a moment’s notice. Our IT remediation team works to restore companies’ operations, reclaim their networks by isolating malware, and recover their business-critical assets. ShadowSpear Platform, our integrable managed detection and response tool, exposes sophisticated unknown and advanced threats with comprehensive insights through unparalleled data normalization and visualizations. We examine companies’ security posture to improve the weak points in their networks and engage with the people, processes, and technologies to measure the maturity of the technical environments. For all vulnerabilities uncovered, our analysts and engineers provide technical roadmaps ensuring companies have the awareness and support to optimize their overall cybersecurity posture.

If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.