Main Menu
,

Hunters International Ransomware: Hive Ransomware Ressurected

Hunters International is a Ransomware-as-a-Service (RaaS) group that emerged in October 2023, following the disruption of the Hive ransomware group. They've conducted over 200 attacks globally, targeting various industries including healthcare, automotive, manufacturing, logistics, finance, education, and food. Notable victims include branches of the Industrial and Commercial Bank of China (ICBC), Anderson Oil & Gas, and Barber Specialties. The group notably avoids targeting entities within Russia.
Facebook Twitter Youtube Linkedin
Hunters International Ransomware: Hive Ransomware Ressurected
Table of Contents
    Add a header to begin generating the table of contents

    Overview: 

    Hunters International is a ransomware-as-a-service (RaaS) group that emerged in October 2023, shortly after the takedown of the Hive ransomware group. They’ve rapidly expanded their operations, conducting over 200 attacks globally across a wide range of industries. Their victims span various sectors, including healthcare, automotive, manufacturing, logistics, finance, education, and food, and are located in countries such as the United States, United Kingdom, Germany, Japan, and Brazil. Notably, they have not been linked to attacks on Russian entities.

    Known Aliases:

    No known aliases beyond “Hunters International” are publicly documented. However, the possibility of using additional aliases or operating under a different umbrella group cannot be ruled out.

    Country of Origin:

    Reports from cybersecurity firms like Cybersecurity and Infrastructure Security Agency (CISA), Kaspersky and CrowdStrike have identified Hunter’s International as a Russian-affiliated group.

    Most Recent Attacks:

    MITRE ATT&CK Tactics and Techniques:

    The Hunters International group utilizes a wide range of MITRE ATT&CK tactics and techniques, as detailed in the provided report. These include:

    • Initial Access: T1078 (Valid Accounts), T1133 (External Remote Services), T1190 (Exploit Public-Facing Application), T1566 (Phishing)
    • Execution: T1047 (Windows Management Instrumentation), T1059 (Command and Scripting Interpreter), T1106 (Native API), T1129 (Shared Modules)
    • Persistence: T1543 (Create or Modify System Process), T1547 (Boot or Logon Autostart Execution)
    • Privilege Escalation: T1134 (Access Token Manipulation), T1543 (Create or Modify System Process), T1547 (Boot or Logon Autostart Execution)
    • Defense Evasion: T1027 (Obfuscated Files or Information), T1036 (Masquerading), T1480 (Execution Guardrails), T1497 (Virtualization/Sandbox Evasion), T1562 (Impair Defenses), T1622 (Debugger Evasion)
    • Discovery: T1057 (Process Discovery), T1082 (System Information Discovery), T1083 (File and Directory Discovery), T1135 (Network Share Discovery)
    • Lateral Movement: T1021 (Remote Services), T1570 (Lateral Tool Transfer)
    • Command and Control: T1071 (Application Layer Protocol), T1573 (Encrypted Channel)
    • Impact: T1486 (Data Encrypted for Impact), T1489 (Service Stop), T1490 (Inhibit System Recovery), T1657 (Financial Theft)

    Tactics, Techniques, and Procedures (TTPs):

    Hunters International employs a multi-stage attack process:

    • Initial Access: They utilize various methods to gain initial access, including:
      • Exploiting vulnerabilities in Oracle WebLogic Server (specifically CVE-2020-14644), leveraging the exposed debug port (TCP 8453) for remote code execution. They then install the China Chopper web shell for persistent access.
      • Deploying renamed AutoIt malware for network scanning and lateral movement, including exploiting Zerologon (CVE-2020-1472) and SECRETSDUMP DCSYNC for domain controller compromise.
      • Exploiting other known CVEs associated with WebLogic.
    • Reconnaissance and Lateral Movement: They use built-in Windows utilities (like ipconfig, nltest, dsquery, reg, ntdsutil) and various remote access tools (AnyDesk, Plink, TeamViewer, RDP, Impacket) to map the network, enumerate users and credentials, and escalate privileges. They also perform reconnaissance on Linux systems using shell commands.
    • Data Collection, Exfiltration, and Encryption:
      • They extract databases using xp_cmdshell and mysqldump.
      • Exfiltrate stolen data to MEGA cloud storage.
      • Deploy ransomware (via a file named delete.me and encrypter_windows_x64.exe) which encrypts files using AES encryption secured with RSA. The ransomware requires command-line arguments for execution, including credentials embedded in ransom notes. It terminates critical processes (antivirus, database services, virtual machines) before encryption. It appends the .LOCKED extension to encrypted files.
      • They disable backup and recovery options using vssadmin, wmic, and bcdedit.

    Malware/Ransomware Strains:

    • Ransomware Strain: Hunters International ransomware itself, written in Rust and showing significant code overlap (at least 60%) with the Hive ransomware. The group claims to have purchased the code from the former Hive operators, rather than being a direct rebranding.
    • Backdoors: SharpRhino, a custom backdoor developed by Hunters International, masquerading as the legitimate tool AngryIP Scanner. This backdoor is packed using NSIS (Nullsoft Scriptable Install System).
    • Other Tools: The group also utilizes tools like 7zip (for data compression), AnyDesk (potentially for remote access or file transfer), bcdedit (for boot configuration manipulation), VssAdmin and wbadmin (for backup and restore manipulation), and WMIC (for system information gathering).
    • Initial Access Vectors: The threat actors leverage valid accounts, exploit external remote services, and employ social engineering tactics (including phishing) to gain initial access to target systems.
    Trending
    NailaoLocker Ransomware Targets EU Healthcare Sector in a Cyberattack
    Venture Capital Giant Insight Partners Hit by Cyber Attack
    BlackLock Ransomware: A Rapidly Rising Cyber Threat
    Latvian Document Management System Leak Exposes 25 Million Records
    OpenSSH Flaws Expose SSH Servers to Critical DoS Attacks and MiTM Vulnerabilities
    MacOS Malware FrigidStealer Employ Sophisticated Web Injection Attacks
    Zacks Investment Research Breach: 12 Million Records Exposed in Latest Cyber Attack
    Coast Guard Data Breach Delays Pay for 1,135 Service Members
    Lee Enterprises Says It Was Hit By a Ransomware Attack
    Finastra Data Breach: Customer Data Compromised in Cyber Attack

    Daily Briefing Newsletter

    Subscribe to the Daily Security Review Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

    Related Posts
    The Rise of AI Agents: A New Era of AI Cyberthreats

    The Rise of AI Agents: A New Era of AI Cyberthreats

    Cayuga Medical Center Suffers Cyberattack, Operations Temporarily Disrupted

    Cayuga Medical Center Suffers Cyberattack, Operations Temporarily Disrupted

    Australian Fertility Services Giant Genea Hit by Major Security Breach

    Australian Fertility Services Giant Genea Hit by Major Security Breach

    NailaoLocker Ransomware Targets EU Healthcare Sector in a Cyberattack

    NailaoLocker Ransomware Targets EU Healthcare Sector in a Cyberattack

    Venture Capital Giant Insight Partners Hit by Cyber Attack

    Venture Capital Giant Insight Partners Hit by Cyber Attack

    BlackLock Ransomware: A Rapidly Rising Cyber Threat

    BlackLock Ransomware: A Rapidly Rising Cyber Threat