Hunters International, a notorious ransomware group that recently claimed an attack on Indian engineering firm Tata Technologies, is rebranding itself and moving to exfiltration-only tactics, threat intelligence firm Group-IB reports.
Active since late 2023, Hunters is a ransomware-as-a-service (RaaS) group that adapted many of the tools and techniques associated with Hive, the ransomware gang disrupted by law enforcement in January 2023.
According to Group-IB, evidence suggests that Hunters is a rebrand of Hive: affiliates and operators of other ransomware groups refer to the RaaS as Hive and some of the individuals involved with the operation were contacted by Hunters’ administrators from the same accounts as Hive.
On its Tor-based leak site, the group has listed roughly 300 victim organizations, nearly half of which are in North America. Hunters also hit more than 50 organizations in Europe and two dozen in Asia. The real estate, healthcare, professional services, financial services, government, and energy sectors were targeted the most.
Hunters’ affiliate panel allows cybercriminals to register a victim, customize the malware, and chat with the victim. The panel also provides a tool called Storage Software, which collects metadata on the files stolen from the victim and sends it to Hunters’ servers.
Affiliates can set the ransom amount from the panel, and are provided with the file-encrypting malware, which is compatible with x64, x86, and ARM architectures and can run on Windows and Linux. If a victim pays, the affiliate receives 80% of the proceeds.
According to Group-IB, the Storage Software tool can also be used to download and delete files, as long as it runs on the same host with the files, which suggests that the stolen data is initially hosted by the affiliate. Victims that pay the ransom are likely provided with access to download and delete the data.
The latest version of the ransomware, Group-IB notes, no longer drops a ransom note, nor renames the encrypted files by appending a specific extension.
Starting August 2024, the group prefers to directly contact the victim organization’s CEO and key employees instead, to keep the attack under wraps and increase the chances that the executives approve the ransom payment.
Hunters works with a third-party that provides OSINT services to collect information about the victim’s employees, which is then used for extortion. According to Group-IB, most extortion groups will likely adopt the same tactic in the future.
Based on internal notes posted by the RaaS operators, the cybersecurity firm believes that the group plans to move away from file-encrypting ransomware, as it is risky and no longer profitable.
“As a result, the operators released a new project on 1 January 2025 called World Leaks. Instead of conducting double extortion, the operation will shift to exfiltration-only attacks,” Group-IB notes, adding that the project was halted shortly after release to resolve infrastructure issues.
Affiliates would be provided with an exfiltration tool for automated data theft, which is fully undetectable, and which can establish network connections through a proxy server, like Storage Software.
“Similar to what was observed by CISA in relation to BianLian, other ransomware groups may eventually shift from double extortion to exfiltration-only attacks and consequently develop methods to automatize this process,” Group-IB notes.
Related: Ransomware Group Claims Attack on Tata Technologies
Related: Ransomware Groups Increasingly Adopting EDR Killer Tools
Related: Understanding the ‘Morphology’ of Ransomware: A Deeper Dive
Related: Ransomware Group Takes Credit for National Presto Industries Attack
