Hunters International Ransomware

The Hunters International is a nefarious program associated with a recently identified ransomware organization operating under the 'Hunters International.' Traditionally, ransomware is designed to encrypt a victim's data, demanding a ransom in exchange for decryption. However, the distinctive aspect of the Hunters International lies in its declared focus on data exfiltration from large entities rather than solely encrypting files. This assertion is supported by documented attacks attributed to this ransomware outfit.

Upon closer examination of the Hunters International threat, it has been observed that the ransomware appends encrypted files with a '.locked' extension. For example, a file originally named '1.jpg' would be transformed into '1.jpg.locked,' and '2.png' into '2.png.locked,' and so forth. It is noteworthy that this particular ransomware possesses the capability to bypass altering the filenames. Following the completion of the encryption process, the ransomware deposits a ransom note titled 'Contact Us.txt.'

The Hunters International was Thought to be a Rebrand of Previous Ransomware Group

Initially, there was speculation that Hunters International might have emerged as a result of rebranding efforts by the Hive ransomware group. This assumption was based on a significant 60% match in the codes of both programs. Notably, the FBI and Europol had successfully thwarted Hive's operations in January 2023.

Contrary to the rebranding hypothesis, a statement released by the group associated with the Hunters International Ransomware refuted such claims. According to the threat actor, they acquired Hive's source code and infrastructure from the now-defunct Hive group, a claim which has also been supported by additional evidence.

The operational focus of the Hunters International distinguishes it from conventional ransomware, as evidenced by both statements from the group and documented attacks. Rather than emphasizing file encryption, these cybercriminals seem to lean heavily toward data exfiltration. Intriguingly, instances have been reported where infections by the Hunters International did not involve any form of encryption.

The adoption of double-extortion tactics is a notable trend, especially among groups like the Hunters International that target large entities such as companies and organizations, as opposed to individual users. Unlike some threat actors who exhibit selectivity in their targets, Hunters International appears to adopt a more opportunistic approach in its infections.

The geographic scope of Hunters International's activities is broad, with documented attacks noted in North and Central America, Europe, Asia and Africa. This widespread distribution suggests a lack of strict selectivity in targeting specific regions, further emphasizing the opportunistic nature of the attacks carried out by this threat actor.

The Hunters International Ransomware is Based on the Hive Threat

The Hunters International is coded in the Rust programming language, aligning with the recent malware coding trends. Notably, the original Hive Ransomware utilized the C programming language and Golang for its operations.

Comparing the code of the known variant of the Hunters International with previous iterations of Hive, it becomes apparent that the code has noticeably simplified. The group responsible for the ransomware acknowledged this modification, expressing dissatisfaction with the errors present in the original code. Some of these errors were severe enough to impede successful decryption, prompting the need for refinement.

Although statements have been released affirming the rectification of errors and the elimination of obstacles to file recovery, malware analysts have identified lingering flaws in the Hunters International. This has led to the prevailing belief that the ransomware is still undergoing development and refinement.

One notable feature of the Hunters International is its adaptability, allowing for customization in several aspects. Users can include specific extensions to be added to locked files, delete the Shadow Volume Copies, and eliminate other data recovery avenues. Additionally, the ransomware enables users to specify a minimum file size required for encryption. It is crucial to highlight that Hunters International is designed to modify all files, excluding only predetermined file formats and directories. This level of customization suggests a degree of sophistication in the ransomware's design and functionality.