New Ransomware Group Emerges with Hive’s Source Code and Infrastructure
The threat actors behind a new ransomware group called Hunters International have acquired the source code and infrastructure from the now-dismantled Hive operation to kick-start its own efforts in the threat landscape.
“It appears that the leadership of the Hive group made the strategic decision to cease their operations and transfer their remaining assets to another group, Hunters International,” Martin Zugec, technical solutions director at Bitdefender, said in a report published last week.
Hive, once a prolific ransomware-as-a-service (RaaS) operation, was taken down as part of a coordinated law enforcement operation in January 2023.
While it’s common for ransomware actors to regroup, rebrand, or disband their activities following such seizures, what can also happen is that the core developers can pass on the source code and other infrastructure in their possession to another threat actor.
Reports about Hunters International as a possible Hive rebrand surfaced last month after several code similarities were identified between the two strains. It has since claimed five victims to date.
The threat actors behind it, however, have sought to dispel these speculations, stating that it purchased the Hive source code and website from its developers.
“The group appears to place a greater emphasis on data exfiltration,” Zugec said. “Notably, all reported victims had data exfiltrated, but not all of them had their data encrypted,” making Hunters International more of a data extortion group.
Bitdefender’s analysis of the ransomware sample reveals its Rust-based foundations, a fact borne out by Hive’s transition to the programming language in July 2022 for its increased resistance to reverse engineering.
“In general, as the new group adopts this ransomware code, it appears that they have aimed for simplification,” Zugec said.
“They have reduced the number of command line parameters, streamlined the encryption key storage process, and made the malware less verbose compared to earlier versions.”
The ransomware, besides incorporating an exclusion list of file extensions, file names, and directories to be omitted from encryption, runs commands to prevent data recovery as well as terminate a number of processes that could potentially interfere with the process.
“While Hive has been one of the most dangerous ransomware groups, it remains to be seen if Hunters International will prove equally or even more formidable,” Zugec noted.
“This group emerges as a new threat actor starting with a mature toolkit and appears eager to show its capabilities, [but] faces the task of demonstrating its competence before it can attract high-caliber affiliates.”