The risk actors behind a brand new ransomware group known as Hunters Worldwide have acquired the supply code and infrastructure from the now-dismantled Hive operation to kick-start its personal efforts within the risk panorama.
“It seems that the management of the Hive group made the strategic choice to stop their operations and switch their remaining belongings to a different group, Hunters Worldwide,” Martin Zugec, technical options director at Bitdefender, stated in a report revealed final week.
Hive, as soon as a prolific ransomware-as-a-service (RaaS) operation, was taken down as a part of a coordinated legislation enforcement operation in January 2023.
Whereas it is common for ransomware actors to regroup, rebrand, or disband their actions following such seizures, what also can occur is that the core builders can go on the supply code and different infrastructure of their possession to a different risk actor.
Stories about Hunters Worldwide as a doable Hive rebrand surfaced final month after a number of code similarities had been recognized between the 2 strains. It has since claimed 5 victims so far.
The risk actors behind it, nonetheless, have sought to dispel these speculations, stating that it bought the Hive supply code and web site from its builders.
“The group seems to put a higher emphasis on information exfiltration,” Zugec stated. “Notably, all reported victims had information exfiltrated, however not all of them had their information encrypted,” making Hunters Worldwide extra of a knowledge extortion group.
Bitdefender’s evaluation of the ransomware pattern reveals its Rust-based foundations, a truth borne out by Hive’s transition to the programming language in July 2022 for its elevated resistance to reverse engineering.
“On the whole, as the brand new group adopts this ransomware code, it seems that they’ve aimed for simplification,” Zugec stated.
“They’ve lowered the variety of command line parameters, streamlined the encryption key storage course of, and made the malware much less verbose in comparison with earlier variations.”
The ransomware, apart from incorporating an exclusion checklist of file extensions, file names, and directories to be omitted from encryption, runs instructions to stop information restoration in addition to terminate plenty of processes that would doubtlessly intrude with the method.
“Whereas Hive has been some of the harmful ransomware teams, it stays to be seen if Hunters Worldwide will show equally or much more formidable,” Zugec famous.
“This group emerges as a brand new risk actor beginning with a mature toolkit and seems keen to point out its capabilities, [but] faces the duty of demonstrating its competence earlier than it will possibly appeal to high-caliber associates.”
