Hunters International Ransomware-as-a-Service (RaaS) Group

Hunters International is a relatively new, yet highly impactful, Ransomware-as-a-Service (RaaS) group that emerged in late 2023. This group quickly gained notoriety for its aggressive data exfiltration and extortion tactics, targeting a wide array of industries globally. Unlike some ransomware groups that focus solely on encryption, Hunters International prioritizes stealing sensitive data before encrypting systems, significantly increasing the pressure on victims to pay ransoms. This "double extortion" method, combined with the group's possible connections to the dismantled Hive ransomware operation, makes Hunters International a significant threat to organizations worldwide. The group's use of advanced techniques, including exploiting known vulnerabilities and deploying custom tools, demonstrates a level of sophistication that warrants a deep understanding of their operations.

Origins & Evolution

Hunters International surfaced in October 2023, shortly after the international law enforcement operation that disrupted the notorious Hive ransomware group. While Hunters International has publicly denied being a direct rebrand of Hive, they have admitted to acquiring portions of Hive's source code and infrastructure. Security researchers have identified significant code overlap (approximately 60%) between Hunters International and Hive, specifically in the encryption logic. This suggests a strong connection, potentially involving former Hive affiliates or developers who repurposed the code.

The evolution of Hunters International has been rapid. Initially written in C and Go, later versions were rewritten in Rust. This shift to Rust offers several advantages, including enhanced security, improved performance, and potentially better evasion capabilities against traditional security solutions. Furthermore, Hunters International has streamlined its ransomware, reducing command-line options and optimizing key management compared to Hive, making it both more efficient for attackers and, paradoxically, easier for victims who pay to decrypt their data, as the decryption keys are embedded in the encrypted files. This rapid development and refinement of their tools underscore the group's commitment to continuous improvement and its adaptability to the evolving threat landscape.

Tactics & Techniques

Hunters International, operating as a RaaS, employs a range of sophisticated tactics, techniques, and procedures (TTPs) to compromise its victims. The group's affiliates likely leverage various initial access vectors, but several key methods have been observed:

* Network Enumeration: Using commands like ipconfig /all and nltest /domain_trusts.

* User and Credential Enumeration: Querying Active Directory for user information (SIDs, usernames, last login) and saving the results.

* Credential Dumping: Extracting hashed passwords from the SAM and SYSTEM registry hives. Understanding Windows Registry structure helps to get valuable infomration during credential dumping. https://thesecmaster.com/windows-registry-structure-understanding-keys-values-and-hives-in-windows-registry

* Active Directory Attacks: Leveraging techniques like DCSync and DFSCoerce to extract the NTDS.DIT database.

* Account Manipulation: Adding new accounts to the Administrator or Remote Desktop Users groups.

* Linux Reconnaissance: Enumerating Linux user accounts and checking for privileged group memberships (wheel, adm). Understanding basics of linux is very helpful during the enumeration process. https://thesecmaster.com/basics-of-linux-operating-systemgetting-to-know-the-basics-is-key-to-mastering-linux-programming

* Remote Access Tools: Utilizing tools like AnyDesk, Plink, TeamViewer, RDP, and Impacket for remote access and control.

* Database Extraction: Using SQL Server's xp_cmdshell to export MySQL databases with mysqldump.

* Data Exfiltration: Uploading stolen data to the MEGA cloud storage service. This is a key differentiator from some ransomware groups, emphasizing data theft as a primary objective.

* Ransomware Execution: Distributing a file named delete.me (purpose currently unknown) and executing the ransomware binary (encrypter_windows_x64.exe). The encrypter requires valid command-line arguments (-c username:password), with credentials included in the ransom notes. The GUI nature of the encrypter suggests a focus on user-friendliness for affiliates.

* Disabling Backup and Recovery: Using commands like vssadmin.exe delete shadows /all /quiet and wmic.exe shadowcopy delete to remove Volume Shadow Copies, hindering data recovery. They also disable Data Execution Prevention (DEP) using bcdedit.exe /set {current} nx alwaysoff.

Targets or Victimology

Hunters International exhibits opportunistic targeting, impacting a wide range of industries and geographic locations. There is no specific industry focus, but the group has demonstrated a global reach, with victims in the United States, United Kingdom, Germany, Japan, Brazil, and numerous other countries. Notably, there have been no known attacks linked to Russia, which is a common exclusion for some cybercriminal groups.

Targeted Industries:

Geographic Scope:

The group's focus on data exfiltration suggests a motivation driven by financial gain, leveraging the stolen data for extortion. The broad range of industries indicates an opportunistic approach, likely relying on affiliates to exploit vulnerabilities wherever they are found. The potential impact of a successful attack includes data breaches, operational disruption, financial losses, and reputational damage.

Attack Campaigns

Several notable attack campaigns have been attributed to Hunters International:

These incidents demonstrate the group's capability to compromise organizations of varying sizes and industries, underscoring the widespread threat they pose. The double extortion tactic, combined with the potential for significant data leaks, makes Hunters International a particularly dangerous adversary.

Defenses

Protecting against Hunters International requires a multi-layered defense strategy, focusing on both prevention and detection:

Organizations need a robust cyber incident response plan to defend against any cyber attacks. https://thesecmaster.com/what-is-cyber-incident-response-plan-what-should-a-cirp-have

Conclusion

Hunters International represents a significant and evolving threat in the ransomware landscape. Its origins, potentially linked to the dismantled Hive operation, its use of advanced tactics, including data exfiltration and vulnerability exploitation, and its global reach make it a formidable adversary. The group's rapid development and adoption of the Rust programming language highlight its commitment to innovation and evasion. Organizations must adopt a proactive, multi-layered defense strategy, combining robust security controls, user awareness training, and continuous monitoring, to effectively mitigate the risk posed by Hunters International and similar RaaS groups. Staying informed about the group's latest TTPs and leveraging threat intelligence are crucial for maintaining a strong security posture in the face of this persistent threat.

Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this. 

You may also like these articles: