‘Hunters International’ Cyberattackers Take Over Hive Ransomware

'Hunters International' Cyberattackers Take Over Hive Ransomware

The FBI may have successfully disrupted the destructive Hive ransomware operation earlier this year, but the group’s malware code continues to present a threat to organizations everywhere.

In October, a security researcher’s analysis of a ransomware used by new group called Hunters International showed substantial code overlaps with Hive ransomware. A subsequent analysis by Bitdefender found the same similarities, leading researchers at the security vendor to conclude that Hive operators have handed off their crown jewel to another threat actor.

A Strategic Dark Web Decision?

“It appears that the leadership of the Hive group made the strategic decision to cease their operations and transfer their remaining assets to another group, Hunters International,” Bitdefender said in a recent report. “While Hive has been one of the most dangerous ransomware groups, it remains to be seen if Hunters International will prove equally or even more formidable.”

Hive was one of the most active ransomware groups at the time the FBI, in concert with counterparts in Germany and the Netherlands, hacked into the group’s infrastructure and systematically neutralized it over a seven-month period.

During that time, investigators captured over 300 decryption keys from Hive operators and handed them off to victims who were under active attack, saving them a cumulative $130 million in losses. Investigators also found — and handed over — an additional 1,000 decryption keys associated with victims of earlier Hive group attacks. The FBI and its partners seized control of websites and servers that Hive was using at the time, effectively shutting down its operational capabilities.

Emerging Threat

In the months since then, Hive’s operators appear to have transferred their code to Hunters International, a threat group with a relatively low number of victims at the moment but with a mature toolkit and a seeming eagerness to show its capabilities.

“Reputation plays a critical role in the ransomware-as-a-service model, and after the disruptions and months-long law enforcement breach of the Hive ransomware group, Hunters International faces the task of demonstrating its competence before it can attract high-caliber affiliates,” Bitdefender said.

The threat actor behind Hunters International have made clear that they are not a rebranded version of Hive and are instead an independent group that’s using Hive malware and infrastructure. Evidence points to that indeed being the case, Bitdefender said.

The group’s primary focus for example appears to be on extortion via data exfiltration rather than data encryption, which is different from the Hive operation. Hunter International’s victim list — which includes organizations in the US, UK, Germany, and Namibia — suggests that its attacks so far are opportunistic rather than targeted, another sign of a group that’s still finding its way in the ransomware space.

Bitdefender’s analysis of the malware also shows that Hunter International is using logging, a clear indication the group has adopted the code from someone else, says Martin Zugec, technical solutions director at Bitdefender in comments to Dark Reading.

“When a new developer, such as the Hunters group, acquires or inherits code, enabling logging and debugging is a crucial step in understanding and improving that code. Logging offers insights into how the code operates, tracks errors, and helps debugging and improving the malware.”

Selling Off Malware: A Risk-Reducing Trade-Off

Zugec says Hive’s decision to sell its malware points to the challenge that criminal groups often face when trying to recover from a successful takedown.

“Unlike a legitimate business that might recover from backups, for threat actors, restoration isn’t just about systems; it’s about evading legal consequences and rebuilding an illegal operation,” he says. “It’s a time-consuming and effort-intensive process. Thus, the decision to sell their code might stem from the belief that the effort and resources required to restart and evade law enforcement might not be worth it.”

Zugec says it’s hard to determine the price that Hive actors might have wanted — or that Hunters International paid — for the ransomware code. Typically, an affiliate operation like Hunters would be willing to pay a premium for ransomware with a good reputation for speed recovery, high data retrieval rates, and resistance to decryptors.

“The value of the code, extends beyond its technical capabilities; it includes the trust and established reputation of the ransomware in the cybercriminal community.”