top of page

New Ransomware Group Uses Hive Source Code and Infrastructure

A new ransomware group called Hunters International got its source code and infrastructure from the now-defunct Hive operation. This is to help them start their own attacks in the threat scene.

"It looks like the Hive group's leaders made the smart choice to shut down and give their remaining assets to another group, Hunters International," Bitdefender's technical solutions director, Martin Zugec, wrote in a report released last week.

Hive was once a very active ransomware-as-a-service (RaaS) business. In January 2023, it was shut down as part of a planned police operation.

It's usual for people who make ransomware to start over, change their names, or stop doing business after being caught. However, the core developers of the malware could give the source code and other infrastructure they have to another threat actor.

Safety online

Last month, there were rumours that Hunters International might be a new name for Hive after some code links were found between the two strains. Since then, five people have died from it.

Threat players behind it, on the other hand, have tried to put these rumours to rest by saying that they bought the Hive source code and website from the people who made them.

"The group appears to place a greater emphasis on data exfiltration," said Zugec. "Notably, all reported victims had data stolen, but not all of them had their data encrypted." This makes Hunters International more of a group that demands money in exchange for data.

Bitdefender's study of the ransomware sample shows that it is built on Rust. This is supported by the fact that Hive switched to the programming language in July 2022 to make it harder to reverse engineer.

"In general, as the new group adopts this ransomware code, it appears that they have aimed for simplification," said Zugec.

Safety online

"They have reduced the number of command line parameters, streamlined the encryption key storage process, and made the malware less verbose compared to earlier versions."

In addition to having a list of file extensions, file names, and folders that should not be encrypted, the ransomware also runs commands that stop data recovery and end a number of processes that might get in the way of the process.

"While Hive has been one of the most dangerous ransomware groups, it remains to be seen if Hunters International will prove equally or even more formidable," said Zugec.

"This group emerges as a new threat actor starting with a mature toolkit and appears eager to show its capabilities, [but] faces the task of demonstrating its competence before it can attract high-caliber affiliates."

9 views0 comments


bottom of page