Hunters International emerged in late 2023 as a RaaS operation with technical lineage and tactics resembling Hive, continuing cyber extortion trends despite Hive’s takedown. The group claims independence, focuses on data theft over encryption, and shows ties to Hive’s infrastructure while expanding globally across sectors. #HuntersInternational #Hive #FBI #Bitdefender
Keypoints
- Hunters International appears as a Hive-like successor, detected in Q3 2023, with significant technical overlap suggesting evolution or offshoot of Hive.
- The group positions itself as independent, prioritizing data theft over encryption, and reportedly reduced command-line options to streamline its malware.
- Hive’s takedown in January 2023 by a multinational coalition disrupted extortion sites and decrypted keys for hundreds of victims, impacting Hive’s operations significantly.
- Bitdefender and researchers have discussed potential asset transfers from Hive to Hunters International, including shared code similarity around 60% at first release.
- Hunters International targets a broad, global set of sectors—healthcare, automotive, manufacturing, logistics, financial, education, and food—with a wide geographic reach (US-centric but global).
- Investigations into the group surfaced surface web data leak activity and possible Nigerian ties via domain registrations and email addresses, highlighting identity obfuscation risks.
- Defensive guidance emphasizes proactive measures, threat intelligence sharing, and collaboration with law enforcement to mitigate evolving ransomware threats.
MITRE Techniques
- [T1041] Exfiltration – Focus on stealing data rather than encryption, indicating data exfiltration is central to operations. “their main operational focus is on stealing data”
- [T1059] Command-Line Interface – Reducing command-line options to streamline tooling, making malware easier to operate. “reducing command-line options” and “made their malware less verbose and easier to use for operatives”
- [T1486] Data Encrypted for Impact – Encryption techniques adopted and keys embedded within encrypted files to streamline decryption for paying victims. “embedding encryption keys within the encrypted files”
- [T1583] Acquire Infrastructure – Hive leaders transferring assets and infrastructure to Hunters International, suggesting a shift in control. “transferred assets to Hunters International”
Indicators of Compromise
- [URL] surface web data leak site – Hunters International’s surface web data leak site
- [Domain] Nigeria-related registrations – Domain registrations potentially tying the group to Nigeria
- [Email] Nigeria-associated addresses – Email addresses associated with the group that may connect to Nigeria
Read more: https://socradar.io/dark-web-profile-hunters-international/