Hive reborn: new ransomware group emerges from the ashes

Hive, one of the world’s most dangerous ransomware groups, disappeared from the scene after being infiltrated by the FBI. Hunters International, a new kid on the block using similar code, has recently emerged in its place. However, the gang claims to be unrelated.

Even in the criminal world, reputations are critical. This is especially true for ransomware-as-a-service sellers.

Hive lost its aura in January 2023, when the FBI and other law enforcement agencies in Germany penetrated Hive’s computer networks, captured its decryption keys, and offered them to victims worldwide. According to the US Department of Justice, this prevented payments of $130 million in ransom demands.

Since June 2021, the Hive ransomware collective has targeted over 1,500 victims worldwide, extracting over $100 million in ransom payments. Its victim list includes hospitals, schools, financial institutions, and other organizations. Cybernews recently shared ex-FBI pros' explanations about how their peers gutted Hive.

Bitdefender researchers have now discovered that after the takedown, operators of the group have been busy developing a new project called Hunters International.

No individuals from Hive were arrested during the FBI operation. The threat actor was brought down by dismantling its infrastructure. Cybercriminals often operate from safe havens in countries that do not cooperate with international law enforcement initiatives.

After the devastating blow, the loosely organized individuals comprising the ransomware gang made individual decisions about their futures. That led to a mix of rebranding, disbandment, relocation, or sale of operation and code.

A new gang, Hunters International, suddenly recorded an increase in activity. According to Cybernews Ransomlooker, the ransomware group announced 12 victims in October.

“It appears that the leadership of the Hive group made the strategic decision to cease its operations and transfer its remaining assets to another group, Hunters International,” Bitdefender’s report reads.

The security researchers detected code similarities between the two groups, reporting at least a 60% match between the two sets.

Looking for a fresh start

The gang has itself challenged the initial consensus that Hive has simply rebranded to Hunters.

“In an uncommon statement, which is the sole communication from the group thus far, Hunters International addressed these speculations. They declared that rather than being a rebranded iteration of Hive, they are an independent ransomware group that acquired the source code and infrastructure from Hive,” Bitdefender researchers write.

Hunters claim to focus on data exfiltration rather than data encryption, using an opportune moment to acquire proven ransomware code from the dismantled group. To Bitdefender, those statements are believable, as the group’s reported victims had data exfiltrated, and not all had their data encrypted.

Hunter International announcement

“This ransomware group appears to be opportunistic, with no specific focus on regions or industries. Thus far, victims have been identified in the United States, the UK, Germany, and even as far as Namibia,” Bitdefender noted.

It’s not uncommon for threat actors to consider selling their tools and enjoy their ill-gotten gains after facing such setbacks. After all, rebuilding infrastructure requires significant investments in time and effort.

After analyzing the code, researchers observed changes associated with adoption from other developers. Adopters have aimed for simplification, reduced the number of command line parameters, streamlined the encryption key storage process, and made the malware less verbose compared to earlier versions.

Hunters even claim to have found “a lot of mistakes that caused unavailability for decryption in some cases.”

Hunters International ransom note

The groups’ ransomware still includes an aggressive mode aimed at disabling backup and restore functionality by executing a series of commands and attempting to terminate specific services and processes.

“In double-extortion scenarios, the goal is not just to encrypt but also to steal data. Even a functional backup may not fully address this issue, as the stolen data remains a concern, highlighting the importance of a defense-in-depth security approach,” Bitdefender researchers warn.

Hunters will still have to prove they’re equally or even more formidable than Hive.

“Although the number of victims remains relatively low, this group emerges as a new threat actor starting with a mature toolkit and appears eager to show its capabilities,” the conclusion reads.

More from Cybernews:

Eastern nations more receptive to AI, hints UN tech advisor

Boeing breach: LockBit leaks 50 GB of data

Toyota Financial Services attack claimed by Medusa ransomware

Samsung notifies UK store customers of data breach

FAA clears Musk's SpaceX for Starship rocket lift off

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked