Hive Ransomware No More – Hunters International Carries the Mantle

The term “Hacked the Hackers” was used back in January when the FBI managed to seize the Hive ransomware group’s servers, effectively shuttering the criminal enterprise. But is really gone? Lately, a new brand has been seen using the same code as Hive, which raises some concerns. Who are they? Enter Hunters International.

Ransomware operations are everywhere, and every day, we see some rise and others fall. Hive, in particular, has been wreaking havoc among high-profile companies and organizations for quite some time now.

With Hunters International carrying the mantle, the peace of mind we had seems to be short-lived. Who’s behind the new ransomware operation? Here’s what we know.

Out with Hive, In with Hunters International

Ransomware comes in many forms based on the group behind it. Every threat actor that resorts to ransomware has his/her own touch when it comes to the method and technique.

However, what they all have in common in the end is the fact that they encrypt the target’s data and ask for a ransom in exchange for a decryptor.

If the ransom wasn’t paid, the malicious actor posts everything they had stolen online. Now, as we mentioned, each group has capabilities, and when it comes to Hive, these techniques cannot get better (or worse). Depends on how we’re looking at it.

Hive saw the light back in 2021 when it launched as a ransomware as a service (RaaS) operation. The group’s activity didn’t last long, as they only ran operations between June 2021 and January 2023.

During that time, Hive managed to infiltrate several organizations, including:

• Tata Power
• Emil Frey
• Rompetrol

Now, HIVE has disbanded, but security researchers have come across a ransomware operation that resembles HIVE in so many ways, including code. That’s the new Hunters International ransomware.

Hunters International Emerges

According to malware analyst Rivitna, Hunters International malware is a sample of Hive ransomware version 6.

#Hive is back!
Now they are #Hunters International!https://t.co/JmJva3JEeo pic.twitter.com/VuE4nruH6v

— rivitna (@rivitna2) October 20, 2023

Another researcher, Will Thomas, stated that while analyzing the ransomware, he discovered code with more than 60% similarity with Hive ransomware.

Ever since the takedown of Hive ransomware by the FBI, it seems the operators have been busy developing their next project: Hunters International.

Multiple code overlaps and similarities link Hive and Hunters together, at least +60% match from my research 🔍 h/t @rivitna2 https://t.co/60quS4N9O9

— Will (@BushidoToken) October 20, 2023

Just like any ransomware technique, Hunters International infiltrates the victims’ systems and encrypts their files. Within the folder, they drop a note that has all the instructions needed to complete the payment process.

With messages like “Keep calm and go hunting” and “Live to hunt. Hunt to live,” one would be very concerned about what the group is up to.

However, so far, Hunters International doesn’t seem to be very active. On their leak site, there’s only one post belonging to a school in the United Kingdom.

Hive Rebranded – Here We Go Again

Hive has been absent for a couple of months, but apparently, its operators don’t wish to be hidden anymore.

Now, they seem to be rebranding the ransomware in the form of Hunters International, which definitely raises some concerns.

So far, the group is not very active, but who knows what the group might be up to in the near future.