A new ransomware entity known as Hunters International has emerged, and it is suspected to be a possible rebrand of the Hive ransomware operation. This theory is supported by an analysis of the Hunters International malware, which revealed significant code overlaps and similarities with Hive ransomware.
Researchers, including malware analyst rivitna, have noted the resemblance, suggesting that Hunters International is closely related to Hive ransomware version 6. However, the Hunters International group denies these allegations and claims to be a new service that purchased the encryptor source code from Hive developers.
Hunters International appears to have a different approach than traditional ransomware groups. Instead of focusing solely on encryption, they prioritize stealing data to use as leverage when extorting victims into paying ransoms. The malware appends the “.LOCKED” extension to encrypted files and provides victims with instructions to contact the attackers through a Tor-protected chat page.
So far, their data leak site has only listed one victim, a school in the UK, from which they claim to have stolen data on students, teachers, network credentials, and web credentials.
The Hive ransomware operation, from which Hunters International may have inherited its code, was disrupted earlier this year in an international operation. The FBI’s infiltration and monitoring of the gang’s infrastructure for six months led to the seizure of the Tor payment and data leak site. The gang, with 250 affiliates, breached over 1,300 companies and received ransom payments totaling about $100 million.
The FBI was able to provide more than 1,300 decryption keys to Hive ransomware victims, which had been encrypted both before and after gaining access to the attackers’ environments.