After Hive, Hunters International Ransomware Takes the Stage

A new ransomware entity has appeared in the ever-changing field of cyber threats, capturing attention and causing fears among the cybersecurity community. Hunters International has gained recognition for its sophisticated takeover of both the source code and infrastructure of the recently dismantled Hive operation. Hive, a once-prolific actor in the field of ransomware-as-a-service (RaaS), was effectively brought down in January 2023 in a coordinated law enforcement operation.

The transition from Hive to Hunters International shows that the former’s leadership made a strategic choice to halt operations while passing on their remaining assets to a new threat actor. Such transitions are frequent in the realm of cybercrime, where threat actors may rebrand, reorganize, or move their activities in order to preserve continuity and evade law enforcement investigation. This transition is notable for the transfer of not just operational expertise but also source code, giving Hunters International a mature toolbox to kick-start its harmful operations.

As security experts discovered coding similarities between the two strains, speculation about the relationship between Hive and Hunters International grew. While some publications speculated that Hunters International was simply a rebranded Hive, the threat players behind the new group have tried to refute these rumors. They claim to have obtained the Hive source code and website straight from its developers, indicating a more purposeful and calculated asset transfer.

The obvious emphasis on data exfiltration distinguishes Hunters International from other ransomware gangs. Unlike many ransomware assaults, the primary purpose of this new organization is to extract important information as well as encrypt data for extortion. Notably, all reported victims have had their data stolen; however, not all have had their data encrypted. This novel approach casts Hunters International as a data-extortion ring, elaborating on the standard ransomware concept.

Bitdefender‘s extensive study of the Hunters International ransomware sample indicates that its foundations are in Rust, a computer language notorious for its resistance to reverse engineering. Hive had already switched to Rust for similar reasons in July 2022, and this same technology decision shows continuity of development objectives. However, as Hunters International adopts the ransomware code, it appears to have aimed for simplification. In comparison to previous versions, the group has decreased the number of command-line options, simplified the encryption key storage procedure, and made the virus less verbose.

Aside from its technological complexities, the ransomware includes an exclusion list of file extensions, file names, and directories that will not be encrypted. Furthermore, it executes orders to hinder data recovery and kills processes that may interfere with its malicious behavior. These aspects add to the ransomware’s general efficiency, a change from the prior difficulties linked with Hive’s activities.

While Hive has been identified as one of the most destructive ransomware gangs, Hunters International’s real effect and threat level remain unknown. The organization appears as a new contender with a well-developed toolbox, and its emphasis on showing talents reflects a deliberate effort to recruit high-caliber affiliates. The cybersecurity community is on high alert, closely following Hunters International’s operations to analyze its potential impact and determine if it will be similarly or even stronger than its predecessor. As the digital world evolves, the advent of such sophisticated threat actors highlights the ongoing necessity for effective cybersecurity measures and concerted efforts to combat cyber attacks.

ALSO READ: Sony Faces Ransomware Attack: Hackers Claim to Have Breached All Networks