November 13, 2023 at 07:48AM
Hunters International, a new ransomware group, has acquired the source code and infrastructure from the now-dismantled Hive operation to jumpstart its own efforts. Despite similarities, Hunters International claims to have purchased the Hive source code and website. The group focuses on data exfiltration rather than encryption, targeting victims for data extortion. While the new group has simplified the ransomware code, its true capabilities are yet to be determined.
Key Takeaways from the Meeting Notes:
– A new ransomware group called Hunters International has acquired the source code and infrastructure from the dismantled Hive operation to start their own efforts in the threat landscape.
– Hive, a prolific ransomware-as-a-service operation, was taken down in January 2023 as part of a law enforcement operation.
– It is common for ransomware actors to regroup or pass on source code and infrastructure following seizures.
– Hunters International claims to have purchased the Hive source code and website from its developers, but there are code similarities between the two strains.
– Hunters International appears to focus more on data exfiltration rather than encrypting data.
– The ransomware is based on Rust programming language, known for its resistance to reverse engineering.
– The new group has simplified the ransomware by reducing command line parameters, streamlining encryption key storage, and making it less verbose.
– The ransomware includes an exclusion list to omit certain files, file extensions, and directories from encryption.
– The ransomware runs commands to prevent data recovery and terminate processes that could interfere with the encryption process.
– It is uncertain if Hunters International will be as dangerous as Hive, as they are starting with a mature toolkit and need to demonstrate their competence to attract high-caliber affiliates.