Hunters International Ransomware Report

Overview

Hunters International is a Ransomware-as-a-Service (RaaS) brand that emerged in Q3 of 2023 following the detection of source code that contained similarities with that of the notorious Hive ransomware strain. Initial malware analysis revealed that the Hunters International ransomware code contains an approximate 60% overlap with samples of Hive ransomware version 61. Based on the technical analysis of the malware, it has been assessed that there is a realistic possibility that the ransomware has been deployed in an operation attributed to members of the recently disrupted Hive cartel. In response to recent reporting, the Hunters International ransomware group has denied any affiliation with the Hive operation.

Intelligence indicates that Hunters International ransomware operates with the primary objective of exfiltrating target data and subsequently extorting victims with a ransom demand in exchange for the return of the stolen data. Such an attack chain was reported to have been implemented against one of the initial victims of the Hunters International ransomware operation. The attack involved the targeting of a plastic surgery clinic in the US, which resulted in the exfiltration of data pertaining to approximately 248,000 files including those of the patients’ names and addresses.

The Hunters International’s encryptor appends the “.LOCKED” extension to target files and the threat actors have been detected to have placed files in directories with the naming convention of “Contact Us.txt”3. These files contain instructions regarding how the victim can contact the threat actor group on the dark web to initiate the negotiation process.

Impact

Successful exploitation by Hunters International ransomware will almost certainly result in the exfiltration of significant quantities of data held on the compromised system, prior to a ransom of a predetermined value being issued. The ransom quantity demanded will almost certainly depend on the estimated value of the compromised organisation. Furthermore, it has been assessed to be highly likely that such a compromise of data will also result in the target organisation incurring a negative reputational impact. Exfiltrated data may include private customer data, corporate finance data and system credentials that if released can assist threat actors with future attacks.

Incident Detection

A comprehensive endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide additional protection against ransomware threats such as that implemented by Hunters International ransomware. EDR solutions can alert system users of potential breaches and stop further progress before the malware can do significant damage. If an EDR solution is not being utilised, the first instance of detection is likely to be the Hunters International ransom note. The note will be labelled with the following file extension: “Contact Us.txt”.