The risk actors behind a brand new ransomware group known as Hunters Worldwide have acquired the supply code and infrastructure from the now-dismantled Hive operation to kick-start its personal efforts within the risk panorama.
“It seems that the management of the Hive group made the strategic choice to stop their operations and switch their remaining property to a different group, Hunters Worldwide,” Martin Zugec, technical options director at Bitdefender, mentioned in a report revealed final week.
Hive, as soon as a prolific ransomware-as-a-service (RaaS) operation, was taken down as a part of a coordinated regulation enforcement operation in January 2023.
Whereas it is common for ransomware actors to regroup, rebrand, or disband their actions following such seizures, what also can occur is that the core builders can cross on the supply code and different infrastructure of their possession to a different risk actor.
Studies about Hunters Worldwide as a doable Hive rebrand surfaced final month after a number of code similarities have been recognized between the 2 strains. It has since claimed 5 victims thus far.
The risk actors behind it, nevertheless, have sought to dispel these speculations, stating that it bought the Hive supply code and web site from its builders.
“The group seems to position a higher emphasis on information exfiltration,” Zugec mentioned. “Notably, all reported victims had information exfiltrated, however not all of them had their information encrypted,” making Hunters Worldwide extra of an information extortion group.
Bitdefender’s evaluation of the ransomware pattern reveals its Rust-based foundations, a reality borne out by Hive’s transition to the programming language in July 2022 for its elevated resistance to reverse engineering.
“Normally, as the brand new group adopts this ransomware code, it seems that they’ve aimed for simplification,” Zugec mentioned.
“They’ve lowered the variety of command line parameters, streamlined the encryption key storage course of, and made the malware much less verbose in comparison with earlier variations.”
The ransomware, apart from incorporating an exclusion record of file extensions, file names, and directories to be omitted from encryption, runs instructions to forestall information restoration in addition to terminate quite a few processes that would probably intervene with the method.
“Whereas Hive has been one of the harmful ransomware teams, it stays to be seen if Hunters Worldwide will show equally or much more formidable,” Zugec famous.
“This group emerges as a brand new risk actor beginning with a mature toolkit and seems keen to indicate its capabilities, [but] faces the duty of demonstrating its competence earlier than it may possibly appeal to high-caliber associates.”
