The architects behind a recently identified ransomware entity, known as Hunters International, have acquired both the source code and infrastructure from the dismantled Hive operation, marking the inception of their own ventures in the threat landscape.
Martin Zugec, Technical Solutions Director at Bitdefender, reported last week that the Hive group’s leadership strategically opted to halt their operations and transfer their remaining assets to Hunters International.
Hive, a once-prolific ransomware-as-a-service (RaaS) entity, was dismantled in a coordinated law enforcement effort in January 2023. Following such seizures, ransomware actors often regroup, rebrand, or disband, with core developers occasionally passing on their source code and infrastructure to another threat actor.
Speculation arose about Hunters International potentially being a rebrand of Hive after identifying code similarities between the two strains. The group has claimed five victims thus far, but the threat actors deny being a reincarnation, asserting that they purchased the Hive source code and website from its developers.
Bitdefender’s analysis of the ransomware sample exposes its Rust-based foundations, a continuation of Hive’s shift to this programming language in July 2022 for enhanced resistance to reverse engineering.
The new group appears to simplify the ransomware code by reducing command line parameters, streamlining the encryption key storage process, and minimizing verbosity compared to earlier versions. Notably, Hunters International places a strong emphasis on data exfiltration, with reported victims experiencing data exfiltration even if their data wasn’t encrypted, indicating a focus on data extortion rather than traditional ransomware tactics.
The ransomware incorporates an exclusion list for file extensions, names, and directories to be spared from encryption. It additionally issues commands to impede data recovery and halt processes that might disrupt the encryption procedure.
While Hive was recognized as one of the most dangerous ransomware groups, the potential threat level posed by Hunters International remains uncertain. Zugec emphasizes that the group, equipped with a mature toolkit, must prove its capabilities before attracting high-caliber affiliates and establishing itself as a formidable force in the threat landscape.
CyberSec84 | Cybersecurity news. 
Leave a comment