Hunters International: Your data is the prey

Hunters International (Hunters) is one of those rare criminal groups whose name reflects exactly who they are. They hunt for your data, and they operate internationally. As of this writing, the group has successfully compromised victims in 29 countries, and that's only counting confirmed victims. Several industry surveys have found the number of unreported ransomware attacks to be anywhere from 60% - 80%, so we can probably assume the numbers are higher than we know.

It's not unusual for ransomware groups to target companies in multiple countries, but this group is interesting in that it intentionally cultivates an international operation. It is a ransomware-as-a-service (RaaS) operator, and many RaaS operators have affiliates in multiple countries. While the Hunters' "home base" is thought to be somewhere in Eastern Europe and Russia, the group's infrastructure and activities have been traced to Asia, South Africa, and other parts of the world. This distributed geographical base makes it more difficult for law enforcement to disrupt operations but also presents challenges in coordinating operations. Time zones, operational security, and attack consistency can all be affected by this.

Origin story

Hunters International was observed in October 2023 and was originally thought to be a rebrand of Hive Ransomware. Hive was dismantled by law enforcement in January 2023 and never reappeared under that name. When Hunters International emerged, researchers found that 60% of its code overlapped with Hive. This kicked off the stories about a rebrand, which Hunters quickly shut down:

As an independent 'startup RaaS,' the purchase of the Hive code and infrastructure allowed Hunters to launch a working system to begin recruiting affiliates and attacking targets. Hunters made many improvements to the Hive code, including the following:

• Corrected "several issues that sometimes prevented file decryption" in Hive's original encryption logic.
• Reduced command-line parameters and streamlined the process of encryption key storage.
• Rebuilt the code in Rust, which earlier Hive versions written in C and Golang.
• Created options for customization of file extensions, deletion of Volume Shadow Copies, and specification of minimum file size for encryption.
• Changed encryption types from ChaCha20-Poly1305 to a combination of AES and RSA ciphers

One of Hunters International's unique characteristics is that data exfiltration is its top priority. This is a departure from Hive and many other ransomware groups that use your stolen data as secondary leverage. This move by Hunters could have been caused by Hive's broken decryption code, but it's just as likely that Hunters understands that data is money. You'll either pay to protect it, or they'll have a product to monetize. Many of the changes in the Hive code were made to support this new priority.

Hunters' developers have made several other improvements, but researchers continue to find flaws in the code. The group appears to be one of the more "professional" organized groups that take business seriously, so the code will probably receive ongoing updates and improvements.

Speaking of professional …

Hunters International seems to have employed a user interface designer for their leak site. The Malware Hunter Team posted these screenshots in November 2023:

If you think of the victims as consumers (it's gross, but stick with me), the site design may be more comforting to them as they work through the transaction. It's clearly meant to be easy to use and unintimidating. There's not as much psychological or technical friction in paying the ransom when the ransom site looks like a pretty e-commerce site. 

The care taken in the design could also be intentional to impress potential affiliates and give the appearance of sophistication.

How a Hunters attack works

The infection chain usually begins with an initial access vector such as a phishing email, compromised RPD service, supply chain attacks, social engineering, and vulnerable public-facing application. Once the malicious payload is executed, the ransomware encrypts files and displays a ransom note demanding payment in cryptocurrency. Initial access vectors commonly used by the group include exploiting vulnerabilities in public-facing applications and using stolen credentials for RDP services.

After gaining initial access, Hunters International employs legitimate tools to facilitate their operations. These tools include network administration software, penetration testing frameworks, and custom scripts designed to evade detection. The group is believed to have affiliations with other prominent ransomware groups, exchanging tactics, tools, and sometimes even personnel.

Hunters' family tree

There's not much to say about Hunters other than it claims to be an independent group with no affiliation with Hive. So, let's take a look at Hive and see where that takes us.

Hive was originally observed in June 2021 and conducted several high-profile attacks in December of that year. Law enforcement increased the focus on Hive in January 2022, but it was another year before Hive was dismantled. During its time of operation, Hive targeted more than 1300 companies worldwide and collected roughly $100 million in ransom payments.

Hive has several similarities with other ransomware groups:

The similarities suggest that Hive is a rebrand or continuation of another group, but it's all speculation.

Since Hunters purchased Hive resources, it makes sense to see similarities between Hunters and Hive. But what about Hunters and Medusa?

Medusa was discovered in early 2021 and had a very active year with many successful, high-profile attacks. By late 2022, activity dropped off. By December, there was speculation that the group had disbanded. Here are some of Medusa's similarities with Hunters:

• Primary Language: Both groups primarily use Russian and English for communication.
• Initial Access Methods: Both utilize phishing and RDP exploits to gain initial access.
• Data Exfiltration: Both employ double extortion tactics, though Medusa tends to use more aggressive public exposure of exfiltrated data.
• Communication Systems: Both use encrypted messaging services and dark web forums.
• Target Industries: Both target high-value sectors like healthcare, finance, and education.
• Global Reach: Both have extensive global operations.
• Evolution of Tactics: Both continuously improve their tactics, although Medusa is generally more aggressive.
• Public Exposure: Both publicize ransom demands and shame victims, with Medusa employing more aggressive tactics.

There are significant similarities between Hunters and Medusa. This doesn't mean that Hunters is comprised of former Medusa members, but clearly, it's easy to share code and tactics between groups. Sometimes, it's hard to tell the difference between them.

Protect your business

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) Stop Ransomware website can help you prevent ransomware attacks. You should review this site for information on emergency communications, bad practices, and proper ransomware attack response. Also, make sure you’re following the standard best practices, such as regular data backups and timely patch management.

Barracuda offers complete ransomware protection and the industry’s most comprehensive cybersecurity platform. Visit our website to see how we defend email, network, applications, and data.