FOCUS MODE
EXTRACT IOC
Threat Research

Hunters International Ransomware: Tactics, Impact, and Defense Strategies

Picussecurity
Hunters International is a ransomware group that emerged in October 2023, leveraging Ransomware-as-a-Service (RaaS) to execute over 200 attacks across multiple industries worldwide. They specialize in data exfiltration prior to ransomware deployment, utilizing sophisticated tactics including exploiting known vulnerabilities and deploying advanced malware. Affected: Financial institutions, oil and gas firms, construction companies, healthcare, automotive, manufacturing, logistics, education, food

Keypoints :

  • Hunters International emerged in October 2023 after the Hive ransomware group’s dismantling.
  • The group has executed over 200 attacks globally, targeting various sectors.
  • The ransomware used is Rust-based, enhancing command-line options and encryption techniques.
  • Initial access is gained through exploiting Oracle WebLogic Server vulnerabilities.
  • Data exfiltration tactics are employed alongside ransomware deployment.
  • Victim organizations span sectors like finance, healthcare, logistics, and technology.
  • Advanced techniques include the use of web shells and renamed AutoIt malware for lateral movement.
  • The group’s attacks leverage tools like AnyDesk, TeamViewer, and RDP to maintain access.
  • Ransomware deployment includes disabling backup and recovery mechanisms to increase pressure on victims.

MITRE Techniques :

  • Initial Access: Exploitation of CVE-2020-14644 – leveraged Oracle WebLogic vulnerability for remote code execution.
  • Reconnaissance: Network Enumeration – used ipconfig and nltest for gathering network information.
  • Credential Dumping: Extracting hashed passwords from SAM using reg save command.
  • Data Exfiltration: Sent stolen data to MEGA cloud storage for encrypted storage and harder tracking.
  • Execution: Deployment and execution of Rust-based ransomware via WinRAR and command-line interface.
  • Exfiltration: Usage of Microsoft’s SQL Server xp_cmdshell to extract entire databases before encryption.
  • Command and Control: Employed remote access tools like AnyDesk to facilitate further network movement.

Indicator of Compromise :

  • [File] delete.me
  • [File] encrypter_windows_x64.exe
  • [Domain] mega.nz
  • [Command] cmd.exe with command-line arguments specified in the attack.
  • [Command] reg save hklmsam sam.txt

Full Story: https://www.picussecurity.com/resource/blog/hunters-international-ransomware

Tags: CLOUD, PAYLOAD, VULNERABILITY, EXFILTRATION, COLLECTION, EMAIL, BACKUP, EDR