Cyberattackers Take Over Hive Ransomware from 'Hunters International'

The FBI's disruption of the notorious Hive ransomware group earlier this year marked a significant victory against cybercrime. However, Hive's potent malware code hasn't vanished from the cyber threat landscape. Recent investigations have revealed that a new ransomware group, Hunters International, is employing tactics and malware that share striking similarities with Hive's tools, leading experts to speculate a possible handover of Hive's resources to this emerging group.

Bitdefender, a prominent cybersecurity firm, noted in a recent report that Hive's leadership might have strategically chosen to cease operations and pass their assets to Hunters International. This move suggests a deliberate decision to keep Hive's destructive capabilities alive in the cybercrime ecosystem through a different entity. Despite Hive being one of the most feared ransomware groups, the future impact of Hunters International, wielding Hive's tools, remains to be seen.

Hive, at its peak, was a major cyber threat, orchestrating widespread attacks until the FBI, alongside international partners, infiltrated and dismantled its infrastructure. This operation saved potential victims approximately $130 million in ransom payments and recovered a significant number of decryption keys, crippling Hive's operations.

Since then, the evidence points to Hunters International adopting Hive's code, although the new group insists on being independent, merely utilizing Hive's malware and infrastructure. Bitdefender's analysis reveals differences in operational focus between the two groups. Hunters International seems more inclined towards data exfiltration and extortion rather than Hive's primary approach of data encryption. This behavior, along with the group's opportunistic attack patterns, indicates that Hunters International is still in the early stages of establishing its modus operandi in the ransomware domain.

Bitdefender's Martin Zugec highlights the use of logging in the malware as a sign of Hunters International's adaptation of Hive's code. Logging is crucial for new developers to understand, debug, and enhance the acquired malware. This process is essential for insight into the malware's operation and for tracking and rectifying errors.

The decision by Hive to sell off its malware code rather than attempting to rebuild its criminal enterprise suggests a strategic move to reduce risk and effort. Restarting operations while avoiding law enforcement scrutiny is a daunting task for any criminal group. The sale of ransomware code, therefore, could be seen as a trade-off between restarting operations and reducing legal risks. The value of such code goes beyond technical prowess; it embodies the trust and reputation established in the criminal community, factors that are crucial for any ransomware-as-a-service operation like Hunters International.

As the cyber threat landscape continues to evolve, the emergence of groups like Hunters International, armed with sophisticated tools from predecessors like Hive, serves as a reminder of the persistent and adaptable nature of cyber threats.