Hunters International Ransomware Inherits Hive's Operations

A recently emerged ransomware group named Hunters International has obtained the source code and infrastructure from the now-dismantled Hive operation, using it as a foundation for their own activities in the threat landscape. According to security researchers, the leaders of the Hive group strategically decided to halt their operations and transfer their remaining assets to another group, namely Hunters International.

The Hive group, previously a prolific ransomware-as-a-service (RaaS) operation, was taken down in January 2023 as part of a coordinated law enforcement effort.

Following such seizures, it is customary for ransomware actors to regroup, rebrand, or discontinue their activities. In some cases, core developers may pass on the source code and other infrastructure to another threat actor.

Reports speculating that Hunters International might be a rebrand of Hive emerged last month when code similarities were identified between the two strains. The group has denied these claims, asserting that it acquired the Hive source code and website from its developers. As of now, Hunters International has claimed five victims.

Old Dog, New Tricks

Interestingly, the group seems to focus more on data exfiltration, with all reported victims having experienced data exfiltration, although not all had their data encrypted. This distinguishes Hunters International as more of a data extortion entity.

The ransomware incorporates an exclusion list of file extensions, file names, and directories to be excluded from encryption. Additionally, it runs commands to hinder data recovery and terminates processes that could potentially interfere with the encryption process.

While Hive has been known as one of the most dangerous ransomware groups, it remains uncertain whether Hunters International will prove to be equally or even more formidable.