A new ransomware group, Hunters International, has emerged in the cybercrime landscape, reportedly inheriting the source code and operations from the recently disbanded Hive ransomware collective. This development indicates a shift in tactics among ransomware actors, highlighting the potential for established methodologies to persist even after significant law enforcement efforts to shut them down.
According to Martin Zugec, the technical solutions director at Bitdefender, the Hive group made a calculated choice to stop its activities and transfer its remaining technical assets to Hunters International. This transition underscores a broader trend wherein threat actors regroup or rebrand, often recycling technological resources and frameworks from previous operations.
The Hive ransomware operation, which was a significant player in ransomware-as-a-service (RaaS) offerings, was dismantled in a coordinated action by law enforcement agencies in January 2023. While typical behavior for ransomware groups includes regrouping or altering their branding post-takedown, the transfer of source code and operational frameworks is notable. This presents a persistent challenge in cybersecurity, particularly as new groups leverage existing technologies to conduct their attacks.
Recent analysis has drawn parallels between Hunters International and its supposed predecessor, Hive, after similarities in code were identified. To date, reports indicate that this new group has already claimed five victims, reinforcing concerns about its operational capacity and intentions. The operators behind Hunters International publicly refute claims of rebranding, asserting they acquired the Hive source code directly from its developers.
Unlike its predecessor, the new group appears to focus heavily on data exfiltration rather than solely on encryption. This strategy has led to the observation that while all reported victims suffered data leaks, not every case involved data being encrypted. This points to a potential shift towards data extortion as a primary tactic, which is reflected in the evolving nature of ransomware operations.
Bitdefender’s examination of the ransomware reveals it is built on a Rust foundation, a programming language that provides increased resilience against reverse engineering. This notable evolution mirrors Hive’s transition to Rust in July 2022, which served to bolster its defenses against intrusion and analysis. The simplification of command operations within the ransomware suggests strategies to enhance efficiency and operational effectiveness.
Moreover, Hunters International has implemented measures to exclude certain file types and directories from being encrypted, running commands that could hinder data recovery processes. These tactics align with recognized methods listed in the MITRE ATT&CK framework, particularly those associated with initial access, data exfiltration, and disabling security measures of infected systems.
As the landscape of ransomware continues to evolve following the dissolution of Hive, the emergence of Hunters International raises questions about future threats in the cybersecurity sector. The group’s readiness to showcase its capabilities suggests it may try to attract affiliates, but proving its effectiveness remains critical for establishing long-term legitimacy in the cybercriminal ecosystem.
