News

A new ransomware-as-a-service brand known as Hunters International has recently surfaced, raising suspicions that the former Hive ransomware gang has resumed its criminal activities under a different name. This theory gains support from a thorough analysis of the new encryptor, revealing significant code overlaps with the Hive ransomware operation.

Upon examining a sample of the Hunters International malware, security researchers discovered a remarkable similarity to the code used in Hive ransomware attacks. Moreover, code overlaps and similarities were identified, accounting for over 60% of the code found in Hive ransomware.

Although the Hunters International group denies these allegations, claiming to be a new player on the ransomware scene who purchased the encryptor source code from the Hive developers, security researchers remain skeptical. Hunters International argues that they have fixed mistakes present in Hive’s code, which caused decryption unavailability in certain cases. They assert that their primary objective is not encryption but rather stealing data to use as leverage when extorting victims to pay the ransom.

Analysis of the Hunters International encryptor conducted by BleepingComputer revealed that it appends the “.LOCKED” extension to encrypted files. Additionally, the malware leaves a plaintext file named “Contact Us.txt” in each affected folder, instructing victims to contact the attacker through a specific login-protected chat page on the Tor network.

While Hunters International has only disclosed one victim on their data leak site—a school in the UK, from which they claim to have stolen nearly 50,000 files containing information about students, teachers, as well as network and web credentials—it remains uncertain what the future holds for the group.

The Hive ransomware gang ceased operations after its Tor payment and data leak site were seized in an international operation coordinated by the FBI in January. This disruption was made possible by infiltrating the gang’s infrastructure and monitoring their activity for six months. The FBI estimates that the gang breached more than 1,300 companies and received approximately 0 million in ransom payments. As a result of their efforts, the FBI was able to provide over 1,300 decryption keys to Hive ransomware victims.

Definitions:
– Ransomware-as-a-Service (RaaS): A model where cybercriminals rent or sell ransomware to other malicious actors, who then carry out attacks using the provided tools and infrastructure.
– Encryptor: A component of ransomware that encrypts victim’s files to render them inaccessible until a ransom is paid.
– Code overlap: The presence of similar or identical sections of code between two different software programs, indicating a potential relationship or shared origins.
– Tor: The Tor network enables anonymous communication on the internet, providing a means for users to browse and communicate without revealing their identity or location.

Sources:
– Rivitna (@Rivitna) on Twitter
– Bushido Token (@BushidoToken) on Twitter
– Hunters International ransomware analysis by BleepingComputer
– MalwareHunterTeam (@malwrhunterteam) on Twitter
– FBI’s international operation against Hive ransomware operation

The post New Ransomware-as-a-Service Brand Emerges, Potentially Linked to Hive Ransomware appeared first on Fagen Wasanni Technologies.