Despite the FBI’s successful dismantling of the Hive ransomware operation earlier this year, recent analyses reveal ongoing threats stemming from the group’s malware code, now surfacing in attacks linked to a newly identified threat entity, Hunters International.
Researchers uncovered significant code similarities between Hive ransomware and the malware employed by Hunters International, suggesting a potential handover of operations from Hive to this emerging threat group. Bitdefender’s analysis indicated a strategic decision by Hive’s leadership to cease activities, transferring their assets to Hunters International.
The Hive group, once among the most notorious ransomware operators, faced coordinated action by law enforcement agencies, resulting in the capture and distribution of over 300 decryption keys to actively targeted victims, preventing a cumulative $130 million in losses. Additional keys associated with prior attacks were also recovered and disseminated, while control over Hive’s infrastructure was seized, effectively crippling their operational capacity.
However, the emergence of Hunters International post-Hive’s disruption indicates a transition of code and tactics. The newcomers appear to prioritize data exfiltration for extortion rather than encryption, a deviation from Hive’s modus operandi. Their victim list, spanning the US, UK, Germany, and Namibia, suggests opportunistic rather than targeted attacks, underscoring the group’s tentative navigation in the ransomware landscape.
Bitdefender’s analysis revealed logging practices within Hunters International’s malware, signaling the adoption of inherited code. Martin Zugec, Bitdefender’s Technical Solutions Director, highlighted the significance of logging in understanding and refining acquired code, indicating the group’s learning curve in handling the new malware.
The decision to sell off their malware, as observed in Hive’s case, reflects criminal groups’ challenges in recovering from disruptions. Zugec emphasized that for threat actors, rebuilding operations involves evading legal consequences, contributing to the strategic move to trade their code. The perceived value extends beyond technical capabilities to include trust and reputation within the cybercriminal community, factors that affiliates like Hunters International seek when acquiring ransomware.
