Hunters International is a ransomware strain that operates under a Ransomware-as-a-Service model, focusing on data exfiltration and ransom demands. It shares significant code similarities with the now-dismantled Hive ransomware but is not a direct rebrand. AttackIQ has released an attack graph to help organizations evaluate their defenses against this ransomware. Affected: Hunters International, Hive
Keypoints :
- Hunters International is a ransomware strain active since October 2023.
- It operates under the Ransomware-as-a-Service (RaaS) model.
- The ransomware aims to exfiltrate sensitive data and extort victims for ransom payments.
- It shares approximately 60% code overlap with Hive ransomware.
- AttackIQ has released an attack graph emulating the TTPs of Hunters International.
- The attack graph helps organizations validate their security controls against this threat.
- Hunters International employs various techniques for initial access, discovery, and impact.
- Detection and mitigation strategies are recommended for key techniques used by Hunters International.
MITRE Techniques :
- Ingress Tool Transfer (T1105): Downloads additional malware stages to test security controls.
- Inhibit System Recovery (T1490): Deletes Volume Shadow Copies using vssadmin.exe and wmic.exe.
- Access Token Manipulation: Token Impersonation/Theft (T1134.001): Lists active access tokens for user impersonation.
- Process Discovery (T1057): Uses Windows API to enumerate running processes.
- System Service Discovery (T1007): Gathers information about configured services using EnumServicesStatus API.
- System Information Discovery (T1082): Executes GetSystemInfo API to discover system details.
- Data Encrypted for Impact (T1486): Encrypts files using AES-256 CBC + RSA-2048 encryption routine.
Indicator of Compromise :
- [file hash] Check the article for all found IoCs.
Full Research: https://www.attackiq.com/2025/01/27/emulating-the-splintered-hunters/