Improving upon the possible predecessor’s design, the new Ransomware-as-a-Service threat has streamline command-line options and optimized key management
A Ransomware-as-a-Service (RaaS) operation that first emerged in October 2023 has since claimed over 200 victims, including two victims in Asia.
Known for its adaptable design, the operation that calls itself Hunters International writes code in the Rust, enabling it to bypass detection, accelerate encryption, and ensure cross-platform compatibility.
The malware shares code similarities with the now-disrupted Hive ransomware but improves upon the latter’s design by streamlining command-line options and optimizing key management.
In a recent forensic report by Forescout’s Vedere Labs, it was noted that Hunters International embeds encryption keys within the encrypted files: a technique that complicates decryption while simplifying the recovery process for victims who pay the ransom.
According to report, there was evidence of attacks using an entry point in an Oracle Web Server (OWS), including on sensitive data exfiltration, file encryption and data recovery disablement. Key findings include:
- Sophisticated tactics: Exploitation of OWS vulnerabilities for initial access, leveraging lateral movement techniques, data exfiltration, and encryption of critical files.
- Adaptable malware: Written in Rust, the ransomware bypasses traditional detection methods and ensures cross-platform compatibility.
- Operational scale: In November 2024, 24 victims had been reported worldwide, including high-profile entities such as US Marshals and global financial institutions.
Targeted files are encrypted using a dual-layer AES/RSA strategy, making decryption practically infeasible without payment. Additionally, the ransomware attack enables attackers to scale their operations securely, as victims must engage with the ransomware operators to obtain decryption keys.
As for detection and intervention, other cybersecurity resources prescribe the usual measures:
- Regular software updates and patch management to plug code vulnerabilities
- Continual employee cybersecurity awareness training against cyber threats
- Strong authentication mechanisms to interrupt unauthorized system access
- Comprehensive data backup and recovery plans
- Network segmentation
- Use of advanced threat detection tools (EDR/IDPS)
- Robust Incident Response Planning to cultivate prepared and effective responses to any cyberattack.
The threat group’s attacks have been opportunistic rather than targeted, indicating that they are still finding their way in the ransomware space after (possibly) taking over the Hive operations.
