Hunters International Overlaps Hive Ransomware Attacking Windows, Linux, and ESXi Systems

A sophisticated ransomware operation known as Hunters International emerged in October 2023, with strong evidence suggesting connections to the formerly dismantled Hive ransomware group. Security researchers quickly identified similarities between the new ransomware and Hive’s code structure, suggesting that former Hive operators may have rebranded following law enforcement disruption earlier that year. Group-IB researchers discovered that the operation provides affiliates with sophisticated tools, including the ransomware itself and a “Storage Software” utility designed to organize exfiltrated data. The ransomware preserves the first 0x41 bytes of each file, checking bytes 0x45-0x58 against a hardcoded value (‘A88830F163306FFE4E4C50EE730476D30C3CE4’) to determine if files have already been encrypted. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The operation has evolved significantly over time, with version 6 (released August 2024) implementing a “quiet mode” that no longer renames encrypted files or drops ransom notes—a technique similarly adopted by LockBit 4. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. The attackers leverage a multi-stage approach, first exfiltrating sensitive data before deploying encryption payloads, establishing a powerful double extortion mechanism. Their analysis revealed striking technical overlaps with Hive’s ransomware, particularly in encryption methods and command-line functionalities. The initial attack was documented on October 13, 2023, when the group disclosed their first victim—an English company—on their data leak site. Hunters International demonstrates remarkable cross-platform capabilities, targeting Windows, Linux, FreeBSD, SunOS, and ESXi systems across x64, x86, and ARM architectures. For Windows systems, the ransomware is distributed as both executable and DLL formats, with the latter enabling execution through legitimate Windows processes. Ransomware payments are dropping while extortion-only payments rise which shoes, that groups may shift to exfiltration-only attacks with automation. This evolution reflects the operators’ recognition that traditional indicators of compromise reduce payment likelihood when detected by security teams or regulators. Tushar is a Cyber security content editor with a passion for creating captivating and informative content.

This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 03 Apr 2025 15:35:21 +0000