The threat actors behind a new ransomware group have been called out International Hunters acquired the source code and infrastructure from the now-disbanded Hive operation to begin its own threat landscape efforts.
“It appears that the leadership of the Hive group has made the strategic decision to stop their operations and transfer their remaining assets to another group, Hunters International,” Martin Zugec, technical solutions director at Bitdefender, SAYS in a report published last week.
Hive, which was once a massive ransomware-as-a-service (RaaS) operation, was taken down as part of a coordinated law enforcement operation in January 2023.
Although it is common for ransomware actors to regroup, rebrand, or disband their activities after such attacks, what can also happen is that the main developers can’ g pass the source code and other infrastructure they own to another threat actor.
Reports about Hunters International as a possible rebrand of Hive surfaced last month after the discovery of significant code similarities between the two strains. It has claimed five victims so far.
The threat actors behind it, however, sought to dispel these assumptions, saying that it bought the Hive source code and website from its developers.
“The group appears to be placing a greater emphasis on data exfiltration,” said Zugec. “Notably, all reported victims had data exfiltrated, but not all of them had their data encrypted,” making Hunters International a data extortion group.
Bitdefender’s analysis of the ransomware sample revealed Rust-based foundations, a fact confirmed by Hive’s switch to programming language in July 2022 for its increased resistance to reverse engineering.
“In general, as the new group adopted this ransomware code, it appears that they aimed to simplify,” said Zugec.
“They reduce the number of command line parameters, streamline the encryption key storage process, and make the malware less verbose compared to previous versions.”
The ransomware, in addition to including a list of exclusions of file extensions, file names, and directories that will not be included in the encryption, runs commands to prevent data recovery as well as terminate multiple processes that may interfere with the process.
“While Hive is one of the most dangerous ransomware groups, it remains to be seen if Hunters International will prove to be equally or even more formidable,” Zugec said.
“This group emerged as a new threat actor that started with a mature toolkit and appeared eager to demonstrate its capabilities, (but) faced with the task of demonstrating its ability to not it will still attract high-caliber partners.”