Unveiling a New Ransomware Group: Leveraging Hive's Source Code and Infrastructure

To propel their initiatives in the threat landscape, the threat actors orchestrating the formation of the ransomware group Hunters International have seized control of the source code and infrastructure once belonging to the now-defunct Hive operation.

“It appears that the leadership of the Hive group made the strategic decision to cease their operations and transfer their remaining assets to another group, Hunters International,” Martin Zugec, the technical solutions director at Bitdefender, said in a report that was published last week. Zugec’s comments were made in reference to the Hive group.

In January 2023, law enforcement executed a synchronized effort leading to the shutdown of the Hive ransomware-as-a-service (RaaS) business. Historically, Hive stood out as one of the most prosperous RaaS operations.

[FREE E-BOOK] The Definite Blueprint for Cybersecurity in Manufacturing

In the aftermath of asset seizures, a common occurrence involves those accountable for ransomware attacks either reorganizing, rebranding, or ceasing their operations altogether. Alternatively, the original architects of the ransomware may opt to pass on the source code and any associated infrastructure to another threat actor.

After the identification of substantial code similarities between Hunters International and Hive, speculations surfaced last month hinting at the possibility of the latter undergoing a rebranding to become the former. Subsequently, this alleged transformation has been linked to the unfortunate demise of five individuals.

In response to these rumours, the threat actors associated with Hunters International have sought to refute the claims. They assert that rather than a rebranding, they acquired the Hive source code and website directly from the original authors.

“The group appears to place a greater emphasis on data exfiltration,” according to Zugec. Because “Notably, all reported victims had data exfiltrated, but not all of them had their data encrypted,” Hunters International is more of a data extortion outfit than a traditional hacking organization.

Bitdefender’s investigation into the ransomware sample uncovers that its foundation is rooted in Rust. This aligns with the historical context of Hive, which transitioned to utilizing the programming language in July 2022 due to its heightened resistance to reverse engineering.

“In general, as the new group adopts this ransomware code, it appears that they have aimed for simplification,” according to Zugec.

“They have reduced the number of command line parameters, streamlined the encryption key storage process, and made the malware less verbose compared to earlier versions.”

Apart from incorporating a catalog of file extensions, file names, and directories earmarked for non-encryption, the ransomware undertakes commands to impede data recovery and halts specific processes that might pose a threat to the operation. Additionally, the ransomware encompasses an exclusion list comprising file extensions, file names, and directories that are designated to remain unencrypted.

“While Hive has been one of the most dangerous ransomware groups, it remains to be seen if Hunters International will prove equally or even more formidable,” according to Zugec.

“This group emerges as a new threat actor starting with a mature toolkit and appears eager to show its capabilities, [but] faces the task of demonstrating its competence before it can attract high-caliber affiliates.”