Hunters International Linked to Hive Ransomware in Attacks on Windows, Linux, and ESXi Systems

Hunters International, a ransomware group suspected to be a rebrand of the infamous Hive ransomware, has been linked to widespread attacks targeting Windows, Linux, FreeBSD, SunOS, and ESXi systems.

Emerging in October 2023, the group has gained notoriety for its sophisticated techniques in data exfiltration and extortion.

Cybersecurity researchers have noted similarities between Hunters International’s operations and those of Hive, which was dismantled by law enforcement earlier in 2023.

While Hunters International denies being a direct continuation of Hive, evidence suggests that they acquired Hive’s source code and operational tools.

Advanced Techniques and Expanding Targets

The ransomware developed by Hunters International is compatible with multiple architectures (x64, x86, ARM) and operating systems, showcasing its adaptability.

Unlike traditional ransomware attacks that rely heavily on encryption and ransom notes, Hunters International has shifted its focus to stealthier methods.

The latest versions of their malware avoid renaming encrypted files or dropping ransom notes a tactic aimed at minimizing awareness within victim organizations.

Additionally, the group leverages Open Source Intelligence (OSINT) techniques to pressure victims through phone calls, emails, and social media.

Hunters International targets industries such as healthcare, real estate, and professional services across North America, Europe, and Asia.

Despite publicly prohibiting attacks on regions like Israel, Turkey, and the Far East, data leaks suggest that these rules are inconsistently enforced.

Transition to Extortion-Only Operations

In November 2024, Hunters International announced plans to cease operations due to increased scrutiny from governments and diminishing profitability.

However, by January 2025, the group resurfaced under the name “World Leaks,” focusing exclusively on extortion without encryption.

World Leaks employs a custom exfiltration tool designed for automating data theft from victims’ networks.

This shift aligns with broader trends in cybercrime where ransomware operators increasingly favor extortion-only attacks over double extortion methods.

Hunters International’s ransomware is built using Rust programming language for enhanced performance and cross-platform compatibility.

It employs AES encryption with randomly generated keys for each file while avoiding encrypting specific file sections to evade detection.

The malware also disables system recovery features and terminates critical processes using predefined lists.

For Unix-like systems and ESXi hypervisors, the ransomware offers limited control but retains its ability to encrypt virtual machine files.

The group’s infrastructure includes tools like “Storage Software,” which organizes stolen data for extortion purposes.

According to the Report, this software enables victims to download or delete their files after paying the ransom a feature aimed at streamlining negotiations while maintaining operational security for the attackers.

The evolution of Hunters International reflects significant changes in the ransomware landscape.

As governments worldwide intensify efforts against cybercrime including banning ransom payments groups like Hunters International are adapting by adopting stealthier tactics and focusing on critical infrastructure targets.

The transition to extortion-only operations further underscores the need for robust cybersecurity measures to protect sensitive data from exfiltration attacks.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!