Hunters International emerged in late 2023, coinciding with the disruption of the Hive ransomware group by international law enforcement. The group first made headlines in October 2023 by naming its initial victim on a dedicated leak site. Since then, they have consistently listed approximately 15 new victims each month. Notably, Hunters International’s leak site differentiates between victims based on the nature of the attack—whether their data was stolen, their systems were encrypted, or both.
Operating under a Ransomware-as-a-Service (RaaS) model, the rapidly rising group exhibits technical and operational tactics resembling those of Hive, leading to speculation that they may be an evolution or offshoot of the dismantled group. However, in response to these allegations, the group has stated that they are not merely a new version of Hive but an independent entity that has taken over Hive’s source code and infrastructure.
The group appears to have streamlined Hive’s ransomware by reducing command-line options and optimising encryption key management. By switching to Rust—a language known for its security and efficiency—they enhance their malware’s ability to evade detection and speed up encryption. Additionally, their ransomware embeds encryption keys within encrypted files, complicating the decryption process for security professionals while simplifying it for victims who pay the ransom.
Now established as a major player in the ransomware ecosystem, Hunters International focuses primarily on stealing data rather than encrypting it, which sets their approach apart from Hive’s.
The group adopts an opportunistic strategy, targeting a wide range of industries globally, including healthcare, automotive, manufacturing, logistics, finance, education, and food. Their indiscriminate victimology underscores their intent to maximise impact and financial gain, posing a significant threat to organisations of all sizes and sectors worldwide. Notably, though, the group has targeted numerous countries, including Japan, the US, the UK and Germany, but has never claimed or been linked to attacks on Russia.
Information about the tactics, techniques, and procedures (TTPs) used in Hunters International ransomware deployments is limited. However, affiliates likely employ various methods for their attacks. In August 2024, it was reported that the group uses a custom tool called SharpRhino. This tool masquerades as a legitimate Nullsoft installer for the Angry IP scanning tool but functions as a remote access trojan (RAT). It maintains persistence by modifying the registry and installing itself in multiple locations for redundancy.
Investigations into Hunters International revealed ties to Nigeria through domain registrations and email addresses. However, the group employs deceptive tactics to obscure their identity, including reviving old websites under false pretences. This use of real and fake identities complicates efforts to pinpoint their origins and operations.
Hunters International exemplifies the ongoing and evolving nature of cyber threats. Organisations should adopt a proactive and comprehensive cybersecurity strategy, including regular data backups, employee training, robust cybersecurity frameworks, and collaboration with law enforcement and threat intelligence sharing to mitigate these threats effectively.
1. Strengthen Employee Cybersecurity Awareness:
Conduct regular training sessions to educate employees about current phishing techniques and other social engineering tactics used by ransomware affiliates. Emphasise the importance of cautious online behaviour, such as scrutinising unexpected emails and avoiding suspicious links, to minimise the risk of initial compromise.
2. Implement Robust Data Backup and Recovery Solutions:
Regularly create offline backups of critical data and ensure backup procedures are rigorously tested for reliability and quick restoration. This approach minimises operational disruptions and reduces the pressure to pay the ransom in the event of a ransomware attack.
3. Employ Endpoint Detection and Response (EDR) Tools:
Deploy EDR solutions that can detect, analyse, and respond to suspicious activities across all endpoints in real time. These tools help identify and contain ransomware attacks in their early stages, limiting potential damage. For further reading on EDR, see our latest blog on “The Hidden Costs of False Positives in Endpoint Detection and Response.”
4. Regularly Update and Patch Systems:
Ensure all systems, software, and applications are regularly updated and patched to close known vulnerabilities that ransomware groups often exploit. This simple yet effective practice can significantly reduce the attack surface.
Adarma provides customised cybersecurity solutions to assist businesses in achieving future-ready cyber resilience. Our approach enables organisations to decrease cyber risks by implementing effective threat intelligence, exposure management, and detection and response capabilities. We offer tailored threat intelligence, technological solutions, and strategic consultations that cater to our customer’s specific security requirements and business goals. Our expertise guarantees a balanced approach between security and operational efficiency, safeguarding our customers’ most crucial infrastructure and data.
Discover our tailored services and find out why we are the preferred security partner for FTSE 350 firms.
If you would like to learn more about how Adarma can support your organisation’s cyber resilience, please get in touch with us at hello@adarma.com.
To hear more from us, check out the latest issue of ‘Cyber Insiders,’ our c-suite publication that explores the state of the threat landscape, emerging cyber threats, and most effective cybersecurity best practices.
You can also listen to our new podcast, which explores what it’s really like to work in cybersecurity in today’s threat landscape.
Stay updated with the latest threat insights from Adarma by following us on X and LinkedIn.
![adarma_logo_twgt-black[11615449]](https://adarma.com/wp-content/uploads/2022/10/adarma_logo_twgt-black11615449.png){kind=logo}
