2023-11-09

Signs of a Hive Reemergence Rebrands as "Hunters International"

Level: 
Strategic
  |  Source: 
BushidoToken
Global
Share:

Signs of a Hive Reemergence Rebrands as "Hunters International"

Category: Ransomware News | Industry: Global | Sources: @BushidoToken, @rivitna2, BleepingComputer, John Hammond

In January 2023, the United States Department of Justice (DOJ) announced the successful takedown of the Hive ransomware gang's infrastructure. The DOJ had infiltrated their network in July 2022. However, there are indications that Hive might be planning a reemergence under a new guise known as "Hunters International." The potential connection between Hive and Hunters International is substantiated by overlapping code within their malware encryptors. Security researchers, including Will Thomas (@BushidoToken) and rivitna (@rivitna2), conducted an analysis that revealed these code overlaps. Notably, Thomas pointed out that the Hunters International encryptor contains "some maintained Hive ransomware strings," with the similarities amounting to an approximate 60% coding overlap.

BleepingComputer's report on Hunters International presents additional perspectives, with the threat actors denying any direct ties to the Hive ransomware gang. They claim to have purchased the Hive source codes, "including the website and old Golang and C versions," distancing themselves from the original group. Regarding their encryptor, Hunters International asserts that they have rectified and improved the code previously maintained by Hive. They also downplay the significance of the encryptor, emphasizing their current focus on data theft for extortion purposes.

According to John Hammond's analysis, an uptick in the security community's monitoring of Hunter International's operations was observed on October 20th. Hunters International is active in its operations, with one victim already listed on their data leak site: an educational institution in the United Kingdom, which suffered the theft of approximately 50,000 files. Operating under the ransomware-as-a-service (RaaS) model, they have the capacity to recruit from the 250 affiliates formerly associated with Hive. With its established infrastructure, Hunters International has the potential to cause significant disruptions, irrespective of any direct connection to the Hive group.

Get trending threats published weekly by the Anvilogic team.

Sign Up Now