During a recent ransomware incident investigated by the Quorum Cyber Incident Response team, a malware variant linked to the ThunderShell malware family was identified. The team’s analysts have attributed the malware, named SharpRhino, to Hunters International, a prominent threat actor group believed to be affiliated with Russia.

The conclusion is based on the tactics, techniques, and procedures (TTPs) observed during a ransomware investigation, as well as the cybercriminal group’s ransom note.

The malware, utilised by the threat actor as an initial infection vector and subsequent Remote Access Trojan (RAT), represents an evolution in the TTPs of Hunters International. This research demonstrates that, despite a clampdown by international law enforcement agencies this year, Ransomware-as-a-Service (RaaS) threat groups are continuing to develop their capabilities.

About Hunters International

First observed on 20th October 2023, Hunters International has carved out a significant portion of the threat landscape by becoming the 10th most active ransomware group in 2024. Many experts in the cyber intelligence community have attributed the group to the now defunct, Russia based Hive ransomware group. This is because of the compelling similarities in the ransomware source code. Hunters International disputes this claim.

However, the cybercrime group has claimed responsibility for 134 attacks in the first seven months of 2024. The group has positioned itself as a Ransomware-as-a-Service (RaaS) provider, thereby enabling other potentially less sophisticated threat actors with tooling to conduct additional attacks that they otherwise wouldn’t have been able to do alone. Arguably, the evolution to a RaaS provider is the single biggest reason why Hunters International has fast-tracked to international notoriety.

Targeting profile

Like most organised ransomware groups, Hunters International is financially motivated. There’s been no evidence that the group has targeted any specific sector. In contrast, most of its targets have been opportunistic and so far the group has avoided targeting any organisation based within the Russian influenced Commonwealth of Independent States (CIS). This is extra evidence that the group is affiliated to Russia.

How SharpRhino works

Named SharpRhino due to its use of the C# programming language, the malware is delivered through a typosquatting domain impersonating the legitimate tool Angry IP Scanner. On execution, it establishes persistence and provides the attacker with remote access to the device, which is then utilised to progress the attack. Using previously unseen techniques, the malware periodically receives commands from an attacker-controlled server to execute on the infected device. This provides the attacker with the granular control required to launch a sophisticated ransomware attack.

Typical of ransomware operators, Hunters International exfiltrates data from victim organisations prior to encrypting files, changing file extensions to .locked, and leaving a README message guiding recipients to a chat portal on the TOR network for payment instructions.

The encryptor itself exhibits a sophisticated design, coded in Rust, a programming language increasingly favoured by cybercriminals for its security features, efficiency, and resistance to reverse engineering. This tactic is in line with the evolution observed in the ransomware development, with notable examples including both Hive and BlackCat.

Learn more about SharpRhino

Read Quorum Cyber’s free SharpRhino report to find the full details of the Threat Intelligence team’s analysis of the malware and its capabilities, and for a strategic outline of Hunters International. The report contains MITRE ATT&CK mapping, as well as Indicators of Compromise (IoCs) related to SharpRhino and Hunters International.

You can browse Quorum Cyber’s full collection of malware reports and threat actor profiles, and Threat Intelligence bulletins on the website.

Contact us

Get in touch with us on 03334440041 or [email protected] if you have any questions about this discovery, or want to discuss Quorum Cyber’s cybersecurity or data security services.