Emergence of New Ransomware Group With Hive's Source Code and Infrastructure
The threat actors behind a newly formed ransomware group, Hunters International, have obtained the source code and infrastructure from the recently disbanded Hive operation to initiate their own activities in the threat landscape.
A new ransomware group, named Hunters International, has emerged on the cybersecurity scene, utilizing assets obtained from the now-defunct Hive ransomware operation. According to Bitdefender's Technical Solutions Director, Martin Zugec, the leaders of Hive, a once-prominent ransomware-as-a-service (RaaS) group, opted to shut down their operation and transfer their resources to Hunters International.
The Hive ransomware group was effectively dismantled in January 2023 following a coordinated law enforcement crackdown. In the wake of such disruptions, it's not unusual for ransomware actors to either rebrand, regroup, or completely dissolve their operations. In this case, Hive's core developers chose to pass their source code and other technical infrastructure to a different threat actor.
Initial reports about Hunters International suggested it might be a rebranded version of Hive, particularly given notable code similarities between the two ransomware strains. However, Hunters International has publicly denied these claims, stating that they purchased Hive's source code and website from its original creators.
Hunters International has already claimed five victims, displaying a distinct operational focus on data exfiltration. According to Zugec, all known victims of Hunters International experienced data theft, but not all had their data encrypted, indicating a shift towards data extortion tactics.
The ransomware used by Hunters International is based on Rust, a programming language known for its resistance to reverse engineering, which Hive had adopted in July 2022. Bitdefender's analysis points out that the new group has opted for a more simplified approach, reducing the number of command-line parameters, streamlining encryption key storage, and minimizing the malware's verbosity.
Furthermore, this ransomware includes a specific exclusion list to bypass encryption for certain file extensions, names, and directories. It also executes commands to hinder data recovery and terminates processes that could interfere with its operation.
While Hive was recognized as one of the most dangerous ransomware groups, it remains to be seen if Hunters International will reach or surpass Hive's level of threat. "This group emerges as a new threat actor starting with a mature toolkit and appears eager to show its capabilities," Zugec noted, "but faces the task of demonstrating its competence before it can attract high-caliber affiliates."