Hunters International, a ransomware group that emerged in October 2023, has quickly become the 10th most active ransomware group in 2024 and operates as a Ransomware-as-a-Service (RaaS) provider. Their latest analysis reveals a Rust-based encryptor, data exfiltration, opportunistic targeting across sectors, and infrastructure tied to Cloudflare Workers, with a tendency to avoid Russian-influenced CIS regions. #HuntersInternational #SharpRhino
Keypoints
- Hunters International was first observed on October 20, 2023.
- Ranked as the 10th most active ransomware group in 2024.
- Attribution largely links Hunters International to the defunct Hive ransomware group due to code similarities.
- The group claimed responsibility for 134 attacks in the first seven months of 2024.
- Operates as a Ransomware-as-a-Service (RaaS) provider, enabling other actors with tooling.
- Encryptor is written in Rust and includes data exfiltration prior to encryption.
- Targets are opportunistic across sectors and avoids Russian-influenced CIS regions.
MITRE Techniques
- [T1497.001] Virtualization/Sandbox Evasion – System Checks – “ipscan-3.9.1-setup.exe called GetDiskFreeSpaceExW”
- [T1134] Access Token Manipulation – “7za.exe sets privilege: SeRestorePrivilege; 7za.exe sets privilege: SeCreateSymbolicLinkPrivilege; 7za.exe sets privilege: SeSecurityPrivilege; ip-3.9.1-setup.exe called NtOpenThreadToken; ip-3.9.1-setup.exe called NtOpenProcessToken”
- [T1497.003] Virtualization/Sandbox Evasion: Time Based Evasion – “A thread of ipscan-3.9.1-setup.exe sleeps for 66 seconds”
- [T1027.002] Obfuscated Files or Information: Software Packing – “ipscan-3.9.1-setup.exe is a NSIS archive”
- [T1036.001] Masquerading: Invalid Code Signature – “Digital signature of ipscan-3.9.1-setup.exe failed verification”
- [T1027.004] Obfuscated Files or Information: Compile After Delivery – “csc.exe is called to compile source code from command-line”
- [T1480] Execution Guardrails – “ipscan-3.9.1-setup.exe called GetUserDefaultLCID”
- [T1543.003] Create or Modify System Process: Windows Service – “ServicesMSDTCDelayedAutostart is written”
- [T1135] Network Share Discovery – “ipscan-3.9.1-setup.exe called NetShareEnum”
- [T1059.003] Command and Scripting Interpreter: Windows Command Shell – “cmd.exe process is launched to execute WindowsUpdate.bat”
- [T1059.001] Command and Scripting Interpreter: PowerShell – “Attempt of execution in a hidden window”
- [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – “RunUpdateWindowsKey registry is written”
- [T1071.001] Application Layer Protocol: Web Protocols – “HTTPS is used to communicate with a C2 server on Cloudflare Workers”
- [T1573] Encrypted Channel – “HTTPS is used to communicate with a C2 server on Cloudflare Workers”
Indicators of Compromise
- [Hash] Hashes – 4bba5b7d3713e8b9d73ff1955211e971, 9473104a1aefb0daabe41a92d75705be7e2daaf3, 09b5e780227caa97a042be17450ead0242fd7f58f513158e26678c811d67e264 (Hashes for ipscan-3.9.1-setup.exe)
- [File Name] ipscan-3.9.1-setup.exe – NSIS-packed installer that drops additional payloads
- [File Name] ipsscan-3.9.1-setup.exe – embedded binary referenced in the NSIS installer
- [File Name] LogUpdate.bat – Dropper/script component used in persistence and execution
- [File Name] WindowsUpdate.bat – Script invoked by cmd to run updates
- [Domain] cdn-server-1.xiren77418.workers.dev, cdn-server-2.wesoc40288.workers.dev – Cloudflare Workers C2 infrastructure
- [Domain] Angryipo.org, Angryipsca.com – Initial download sites and lure domains
- [Domain] ec2-3-145-180-193.us-east-2.compute.amazonaws.com, ec2-3-145-172-86.us-east-2.compute.amazonaws.com – Command & Control / hosting infrastructure