Hunters International Ransomware Report

Overview

Hunters International is a Ransomware-as-a-Service (RaaS) brand that emerged in Q3 of 2023 following the detection of source code that contained similarities with that of the notorious Hive ransomware strain. Initial malware analysis revealed that the Hunters International ransomware code contains an approximate 60% overlap with samples of Hive ransomware version 61. Based on the technical analysis of the malware, it has been assessed that there is a realistic possibility that the ransomware has been deployed in an operation attributed to members of the recently disrupted Hive cartel. In response to recent reporting, the Hunters International ransomware group has denied any affiliation with the Hive operation.

Intelligence indicates that Hunters International ransomware operates with the primary objective of exfiltrating target data and subsequently extorting victims with a ransom demand in exchange for the return of the stolen data. Such an attack chain was reported to have been implemented against one of the initial victims of the Hunters International ransomware operation. The attack involved the targeting of a plastic surgery clinic in the US, which resulted in the exfiltration of data pertaining to approximately 248,000 files including those of the patients’ names and addresses.

The Hunters International’s encryptor appends the “.LOCKED” extension to target files and the threat actors have been detected to have placed files in directories with the naming convention of “Contact Us.txt”3. These files contain instructions regarding how the victim can contact the threat actor group on the dark web to initiate the negotiation process.