To begin their own efforts in the threat landscape, the threat actors behind the recently dismantled Hive operation sold the infrastructure and source code to a new ransomware group named Hunters International.
Martin Zugec, technical solutions director at Bitdefender, stated in a report released last week that “it appears that the leadership of the Hive group made the strategic decision to cease their operations and transfer their remaining assets to another group, Hunters International.”
As part of a coordinated law enforcement operation, Hive, a once-prolific ransomware-as-a-service (RaaS) operation, was taken down in January 2023.
After such seizures, it’s not uncommon for ransomware actors to reorganize, change their identity, or cease operations; however, the source code and other infrastructure held by the core developers may also be transferred to another threat actor.
After multiple code similarities between the two strains were discovered last month, rumors regarding a potential Hive rebranding for Hunters International began to circulate. Since then, five victims have been reported.
The threat actors behind it, however, have attempted to refute these rumors by claiming that they bought the website and source code for Hive from its creators.
“The group appears to place a greater emphasis on data exfiltration,” Zugec stated.
Notably, not all of the victims that were reported had their data encrypted; this suggests that Hunters International was more of a data extortion company.
According to Bitdefender’s analysis, the ransomware sample is based on Rust, which is supported by the fact that Hive switched to the programming language in July 2022 because it is more resilient to reverse engineering.
“In general, as the new group adopts this ransomware code, it appears that they have aimed for simplification,” Zugec stated.
“They have reduced the number of command line parameters, streamlined the encryption key storage process, and made the malware less verbose compared to earlier versions.”
In addition to including an exclusion list of file names, extensions, and directories that should not be encrypted, the ransomware also executes commands that stop data recovery and end several processes that might potentially interfere with the process.
“While Hive has been one of the most dangerous ransomware groups, it remains to be seen if Hunters International will prove equally or even more formidable,” Zugec said.
“This group emerges as a new threat actor starting with a mature toolkit and appears eager to show its capabilities, [but] faces the task of demonstrating its competence before it can attract high-caliber affiliates.”
