Hunters International Ransomware

First Identified: 2023

Operation style:
Ransomware-as-a-Service (RaaS), affiliate payment structure is unknown; however, it is likely similar to other RaaS operations – 80/20 split.

Extortion method:
Double extortion – combining the traditional ransomware extortion method (encryption) with exfiltration of victim’s sensitive data; the group threatens to leak the data via a data leak site if the ransom demand is not paid.

Most frequently targeted industry: Industrials (Manufacturing)

Most frequently targeted victim HQ region: United States, North America

Known Associations: Hive Ransomware

Hunters International ransomware was first reported in October 2023 and operates in the double extortion method, where victim data is stolen and leaked via a data leak site if the ransom demand is not paid. Hunters International is written in the Rust language. Researchers report that Hunters International and the former Hive ransomware operation are likely related – a possible rebranding – with at least a 60% overlap in code. However, the Hunters International operators have announced via their data leak site that they are not a rebrand of the Hive operation but rather purchased the code from the former group.

For encryption, Hunters International embeds the encryption key within the encrypted files using ChaCha20-poly1305 and RSA OAEP combination. Hunters International does not always encrypt a victims’ environment; sometimes opting for exfiltration and extortion instead. It is not known what factors contribute to the decision to encrypt or not encrypt.

Hunters International targets both Windows and Linux environments for data encryption and exfiltration and adds a “.LOCKED” or “.lock” extension to the encrypted files on a victim machine, when encryption is used. Once the threat actors gain initial access, they attempt to kill processes and services. It then executes commands to delete backups and disable recovery mechanisms. It then reiterates through local and mapped drives, as well as shared drives found on the local network through the NetServerEnum and NetShareEnum APIs, encrypting files that are discovered.

In February 2024, security researchers identified that the domain “huntersinternational[.]org” was a legitimate active domain from 2017 to 2021 but then it was deactivated. The threat actors then reactivated the domain in January 2024 to launch the data leak site. The Hunters International group used a fake identity “Mihail Kolesnikov” to register the domain. This same name has been previously observed with Rilide Infostealer and Snatch ransomware phishing domains.

In 2024, security researchers with Quorum Cyber reported a Hunters International custom backdoor, SharpRhino. SharpRhino reportedly has a valid code certificate and was masquerading as the legitimate tool, AngryIP. SharpRhino is an NSIS (Nullsoft Scriptable Installer System) packed executable.