A caller ransomware-as-a-service marque named Hunters International has emerged utilizing codification utilized by nan Hive ransomware operation, starring to nan valid presumption that nan aged pack has resumed activity nether a different flag.
This mentation is supported by study of nan caller encryptor revealing aggregate codification overlaps betwixt nan 2 ransomware gangs.
Hunters successful denial
Security researchers analyzing a sample of nan Hunters International malware discovered a striking resemblance to nan codification utilized successful Hive ransomware attacks.
More specifically, malware expert and reverse engineer rivitna, who first spotted nan caller encryptor, came to nan conclusion that Hunters International malware was a sample of Hive ransomware type 6.
In replies to nan tweet above, information interrogator Will Thomas shares that he recovered "some maintained Hive ransomware strings" successful nan Hunters International code.
Looking person astatine nan Hunters International sample, nan interrogator discovered codification overlaps and similarities that lucifer much than 60% of nan codification successful Hive ransomware.
However, nan Hunters International group is denying nan researchers’ “allegations” saying that they are a caller work connected nan ransomware segment who purchased nan encryptor root codification from nan Hive developers.
“All of nan Hive root codes were sold including nan website and aged Golang and C versions and we are those who purchased them,” nan Hunters International pack says.
Hive International claims that Hive’s codification contained “a batch of mistakes that caused unavailability for decryption successful immoderate cases” but they fixed it.
Furthermore, nan caller pack says that encryption is not nan main extremity of their operation, alternatively focusing connected stealing information arsenic leverage erstwhile extorting victims into paying a ransom demand.
The Hunters International encryptor
From study by BleepingComputer, Hunters International's encryptor appends nan “.LOCKED” hold to nan processed files.
The malware leaves successful each directory a plaintext record named "Contact Us.txt" pinch instructions for nan unfortunate to interaction nan attacker complete Tor, done a chat page that is protected by a login circumstantial for each victim.
At nan moment, their information leak tract lists only 1 victim, a schoolhouse successful nan UK, from wherever nan attackers declare to person stolen almost 50,000 files consisting of information astir students and teachers on pinch web and web credentials.
As spotted by MalwareHunterTeam, Hunters International's information leak tract shows a group of messages, apt successful an effort to stock pinch nan world that they mean superior business and "hunting" for victims and extorting them is their main purpose.
It remains to beryllium seen what destiny awaits Hunters International's but pinch 1 unfortunate published connected their information leak site, nan group does not look to beryllium excessively active.
Hive ransomware's demise
Whether Hive ransomware sold nan root codification to different cybercriminals or not, remains chartless astatine nan infinitesimal but nan gang's operations came to a abrupt extremity aft its Tor costs and information leak tract were seized successful an world cognition successful January.
Disrupting nan ransomware operation, which had 250 affiliates, was imaginable aft nan FBI had infiltrated nan gang's infrastructure and monitored nan activity for six months, since July 2022.
According to nan FBI, nan pack breached much than 1,300 companies and recived ransom payments of astir $100 million.
The agency's activity allowed it to supply much than 1,300 decryption keys to Hive ransomware victims that had been encrypted earlier and aft nan FBI gained entree to nan attacker's environments.