Threat Actor Profile: Hunters International Ransomware Group

Introduction

Hunters International is a newly identified ransomware group that has recently come to prominence. This group is particularly notable for its use of code with similarities to the now-defunct Hive ransomware group and for its aggressive and unscrupulous ransom negotiation tactics.

Background and Operations

  • Link to Hive Ransomware: Security experts have established links between Hunters International and the Hive group, which was dismantled in a coordinated law enforcement operation. This connection is based on similarities in the encryption code, with about a 60% match observed. This information comes from The Register’s report on Hunters International’s connection to Hive.
  • Ransomware Attacks and Tactics: Hunters International has been responsible for a limited number of attacks, including on a UK primary school and a US plastic surgeon’s clinic. In the latter case, they leaked patients’ pre-operation pictures, demonstrating their willingness to cross moral boundaries to expedite ransom payments. More on these tactics is detailed in The Register’s article about the ransomware gang’s aggressive strategies.
  • Data Exfiltration Focus: The group has stated that encryption is not its primary goal. Instead, it focuses more on data exfiltration, using stolen information as leverage in ransom negotiations.

Tactics, Techniques, and Procedures (TTPs)

  • Execution (TA0002): Involves Native API (T1106) and Shared Modules (T1129) techniques.
  • Persistence (TA0003): Utilizes Boot or Logon Autostart Execution (T1547.001).
  • Defense Evasion (TA0005): Employs Obfuscated Files or Information (T1027) and techniques to Impair Defenses (T1562.001).
  • Discovery (TA0007): Includes Process Discovery (T1057), System Information Discovery (T1082), and File and Directory Discovery (T1083).
  • Command and Control (TA0011): Utilizes Application Layer Protocol (T1071), specifically Web Protocols (T1071.001).
  • Impact (TA0040): Data Encrypted for Impact (T1486).

Indicators of Compromise (IOCs)

  • File Extension: “.LOCKED” extension on encrypted files.
  • Ransom Note: “Contact Us.txt” file in encrypted directories.

Assessment and Recommendations

  • Evolving Threat: Hunters International represents an emerging and evolving cyber threat, with a focus on data theft and sophisticated extortion techniques.
  • Mitigation Strategies: Organizations should enhance cybersecurity measures, particularly focusing on data backup and recovery strategies, employee awareness training, and regular security system updates.

Further Reading