A new ransomware group, Hunters International, has surfaced by inheriting the source code and infrastructure from the now-defunct Hive operation. According to Bitdefender’s Martin Zugec, it seems Hive’s leadership decided strategically to cease operations and transfer assets to the emerging group.
While common for ransomware actors to regroup after seizures, Hunters International claims to have purchased Hive’s source code and website, dispelling speculations of a direct rebrand. The group emphasizes data exfiltration over encryption, and Bitdefender’s analysis reveals a simplification of the ransomware code inherited from Hive, adopting a Rust-based foundation.
Furthermore, the Hive group, once a prolific ransomware-as-a-service (RaaS) operation, was dismantled earlier this year as part of a coordinated law enforcement effort. Reports hinting at Hunters International being a possible rebrand of Hive emerged last month due to code similarities. The new group, however, clarifies its acquisition of Hive’s assets and showcases a focus on data extortion. Bitdefender’s analysis also highlights the new group’s streamlining efforts, reducing command line parameters and making the malware less verbose compared to Hive’s earlier versions.
Additionally, Hunters International is noted for its Rust-based ransomware foundations, following Hive’s transition to this programming language in July 2022 for enhanced resistance to reverse engineering.
The ransomware group has incorporated an exclusion list and executes commands to prevent data recovery while terminating processes that could interfere. While Hive was recognized as a dangerous ransomware group, the emergence of Hunters International raises questions about its potential formidability, with Zugec emphasizing the need for the group to demonstrate its competence before attracting high-caliber affiliates in the evolving threat landscape.