Rewterz Threat Update – Hive Ransomware Possibly Rebranded as the New Hunters International Ransomware

Severity

High

Analysis Summary

A new ransomware-as-a-service (RaaS) has emerged calling themselves as the Hunters International, who uses the code of the Hive ransomware operation, which has led the cybersecurity experts to assume that the old ransomware gang has now resumed their activity under a new name. There seems to be various code overlaps between the two gangs, supporting the theory.

The malware analyst who first spotted the new encryptor noticed a striking resemblance to the code used in Hive ransomware attacks in a sample of the Hunters International malware, which led them to the conclusion that it is a new sample of Hive ransomware version 6.

Another researcher shares their findings that they discovered some Hive ransomware strings maintained in the Hunters International code. Upon closer inspection, some code overlaps and similarities were discovered that match over 60% of the Hive ransomware’s code. Despite this, the Hunters International group denied these “allegations” by saying that they are a brand-new ransomware service and only purchased the source code from the Hive developers.

“All of the Hive source codes were sold including the website and old Golang and C versions and we are those who purchased them,” said the Hunters International gang.

They also claim that Hive’s code had various errors that they fixed, like causing decryption to be unavailable in some cases. They also stated that encryption isn’t their main goal, but instead their operations focus more on stealing data as a way to force victims pay up their ransom demand.

Further analysis shows that Hunters International’s encryptor has the ‘.locked’ extension on the processed files. When it is done encrypting, it leaves a plaintext file named ‘Contact Us.txt’ in each directory that includes the instructions for contacting the attacker via Tor using a chat page that has specific login credentials for each victim.

Currently, their data leak website has only one victim listen, which is a school in the UK from where the hackers claim to have stolen almost 50,000 files including student and teachers’ data as well as web and network credentials. This indicates that the group isn’t too active.

It is unclear whether Hive ransomware gang sold their source code to other cybercriminal or not, but we know that the gang’s operations came to a halt when its Tor payment and data leak websites were seized back in January by the FBI, who had been monitoring the gang’s activity for six months since July 2022.

Impact

• Financial Loss
• File Encryption
• Sensitive Data Theft

Remediation

• Implement strong email security measures, including spam filters and anti-phishing solutions, to prevent phishing emails that often serve as initial attack vectors for ransomware.
• Keep all software, including operating systems and applications, up to date with the latest security patches and updates to close vulnerabilities that ransomware may exploit.
• Regularly back up critical data and systems, and store backups offline.
• Employ network segmentation to isolate critical systems and limit lateral movement by attackers in case of a breach.
• Deploy strong endpoint security solutions that can detect and respond to malicious activities on devices within the network.
• Implement the principle of least privilege to limit user and system access to only what is necessary for their roles, reducing the impact of a breach.
• Use SIEM solutions to monitor network traffic for unusual or suspicious activities that may indicate a ransomware attack.
• Implement MFA for access to critical systems and accounts to enhance security.
• Develop and regularly test an incident response plan to ensure a coordinated and effective response in case of a ransomware attack.
• Educate users about the risks associated with ransomware, emphasizing the importance of not paying ransoms and reporting incidents promptly.
• Conduct regular vulnerability assessments and penetration testing to identify and address weaknesses in your systems and networks.
• Block all threat indicators at your respective controls.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Emails from unknown senders should always be treated with caution.