The new group “Hunters International” describes itself as the successor to the HIVE ransomware gangsters. An analysis of the ransomware code confirms this and shows how the criminals have improved their malware attacks.
Hunters International is at the beginning of its activities with first victims in Germany, Great Britain, the United States of America and Namibia. The Hive group was exposed in January 2023 as the result of a concerted effort by the FBI, the BKA, the Reutlingen police headquarters and Dutch authorities. Hive's victims included 1.500 hospitals, school boards, financial services and other organizations whose information the attackers exposed.
Hive exposed in January
As a result of the seven-month investigation, Hive's website was shut down. 300 current victims received a decryption key, saving them $130 million in ransom payments. As is often the case, no arrests were made, but investigators revealed the group's infrastructure. Too often, those behind the crime operate from countries that do not cooperate with other investigative authorities.
Hunters International's self-portrayal corresponds to reality after code analysis
Bitdefender Labs now provides the following results in a new analysis of the new ransomware-as-a-service group Hunter:
- Existing overlaps in the code, already found by security researchers like @rivitna2 or @BushidoToken, confirmed similarities in the code and thus the self-statement of the Hunter International operators that they are a new edition of Hive.
- Nevertheless, Hunter International says it is an independent group that has purchased source code and infrastructure from Hive. In their communication, they position themselves as further developers and improvers of the code. Ransomware actors must position themselves not only to victims, but also to competitors and customers of the ransomware-as-a-service shadow economy.
- The analyzes also confirm Hunters International's self-statement that its primary focus is on disclosing data. To date, data has never been encrypted.
- Code analysis shows that the developers at Hunters International have simplified the code. The code consists of fewer command lines and the storage process of the encryption keys is simpler. Irrelevant file names, file extensions or directories are not encrypted. The ransomware also specifically attacks backup and restore functionality. The goal is to disable backups and stop recovery.
Offline backups play an important role in defense
Bitdefender strongly recommends that companies protect themselves against ransomware and have a catalog of measures to securely defend against and restore data after an attack has occurred. It is equally important to ensure backups - even against attacks from malicious attackers with elevated privileges. An offline backup still plays a central role. In addition, those responsible should regularly assess the security controls for their practical value.
Go to the report on Bitdefender.com
About Bitdefender Bitdefender is a leading global provider of cybersecurity solutions and antivirus software, protecting over 500 million systems in more than 150 countries. Since it was founded in 2001, the company's innovations have consistently ensured excellent security products and intelligent protection for devices, networks and cloud services for private customers and companies. As the supplier of choice, Bitdefender technology is found in 38 percent of security solutions deployed around the world and is trusted and recognized by industry experts, manufacturers and customers alike. www.bitdefender.de