An FBI-led operation dismantled Hive, one of the most notorious ransomware groups, preventing about $130 million in ransom payments and providing decryption keys to over 300 victims. The analysis then follows Hunters International, a suspected Hive successor focused on data exfiltration, which asserts it is independent and acquired Hive’s code and infrastructure.
Keypoints
- The Hive ransomware group was dismantled through a seven-month operation resulting in the disruption of its infrastructure and the distribution of decryption keys to victims.
- Hive targeted over 1,500 victims globally since June 2021, extracting more than $100 million in ransom payments, including hospitals, school districts, and financial institutions.
- Decryption keys were provided to over 300 victims, preventing about $130 million in potential ransom payments, with an additional 1,000 keys shared with prior victims.
- Leadership reportedly transferred remaining assets to Hunters International, which security researchers see as either a rebrand or independent entity using Hive code and infrastructure.
- Hunters International emphasizes data exfiltration in its operations, with all reported victims having data exfiltrated and some not encrypted.
- The Hunters International code is written in Rust, uses a streamlined set of features, and appends a .locked extension to encrypted files unless disabled.
MITRE Techniques
- [T1486] Data Encrypted for Impact – The ransomware encrypts files using ChaCha20-Poly1305 and RSA OAEP; key material is embedded within the encrypted files. ‘The key generation material is now embedded directly within the encrypted files (albeit still encrypted with RSA).’
- [T1041] Exfiltration – The campaign centers on data exfiltration, with all reported victims having data exfiltrated, even if not all files were encrypted. ‘notably, all reported victims had data exfiltrated, but not all of them had their data encrypted.’
- [T1071.001] Web Protocols – The attackers use a chat portal to contact representatives and manage credentials via a ransom note, indicating C2 over web protocols. ‘Chat portal to contact Hunters International representatives. Portal credentials are passed via ‘-c username:password’ argument to the ransom note.’
- [T1490] Inhibit System Recovery – The malware includes commands to prevent data recovery and backup, such as deleting shadow copies and disabling recovery. ‘Commands to Prevent Data Recovery and Backup: exe shadowcopy delete … exe /set {default} recoveryenabled No.’
- [T1562.001] Impair Defenses – The ransomware terminates services and processes to hinder remediation, including a list of services like ‘mepocs, memtas, veeam, svc$, backup, sql, vss, msexchange, vmm, vmwp’.
- [T1059] Command and Scripting Interpreter – The command-line interface is streamlined to five parameters (-c, -attach, -no-aggressive, -no-extension, -min-size) to configure execution. ‘Parameter: -c …’
Indicators of Compromise
- [SHA256] Ransomware sample – 94b6cf6c30f525614672a94b8b9788b46cbe061f89ccbb994507406404e027af
- [SHA256] Ransomware Sample – c4d39db132b92514085fe269db90511484b7abe4620286f6b0a30aa475f64c3e
- [Onion URL] Chat page for victims – hunters33mmcwww7ek7q5ndahul6nmzmrsumfs6aenicbqon6mxfiqyd[.]onion
- [Onion URL] Data leak site – hunters55rdxciehoqzwv7vgyv6nt37tbwax2reroyzxhou7my5ejyid[.]onion