| Category | Details |
|---|---|
| Threat Actors | Hunters International ( Acquired the Hive source code and website from the Original Developers. ) |
| Campaign Overview | Latest Campaign includes MANTINGA, based in Lithuania, specializes in food and beverage manufacturing , has fallen victim to HUNTERS INTERNATIONAL Ransomware . |
| Target Regions (Or Victims) | Lithuania , Argentina , Sweden , Germany , Taiwan , USA . |
| Methodology | Malware encrypts data using AES with RSA for key protection, Escalates Privileges, Terminates Processes, and Exfiltrates Data to Force payment. |
| Product Targeted | Sensitive organizational data, backup systems, and critical services. |
| Malware Reference | Custom ransomware derived from Hive’s source code, written in Rust. |
| Tools Used | Encryption tools like AES, RSA, ChaCha20-Poly1305 (earlier versions), SHA3-256 hashing, tools to bypass backups (vssadmin.exe, wmic.exe, etc.). |
| Vulnerabilities Exploited | No specific vulnerabilities mentioned; uses privilege escalation (SE_DEBUG), process impersonation, and service termination to gain control. |
| TTPs | Privilege escalation, Terminating processes and services, Encrypting files, Wiping free space, and leaving a ransom note in all Encrypted folders. |
| Attribution | Self-attributed to Hunters International group, no External links to other actors like Hive. |
| Recommendations | Enhance backup systems, restrict privileged access, use endpoint detection, and monitor for signs of data exfiltration or unusual process activity. |
| Source | Acronis.com , itfunk.org |
https://www.itfunk.org/cyber-threats/ransomware/hunters-international-ransomhuntersint-hive-variant/
Leave a Reply