The menace actors behind a brand new ransomware group known as Hunters Worldwide have acquired the supply code and infrastructure from the now-dismantled Hive operation to kick-start its personal efforts within the menace panorama.
“It seems that the management of the Hive group made the strategic resolution to stop their operations and switch their remaining belongings to a different group, Hunters Worldwide,” Martin Zugec, technical options director at Bitdefender, said in a report printed final week.
Hive, as soon as a prolific ransomware-as-a-service (RaaS) operation, was taken down as a part of a coordinated legislation enforcement operation in January 2023.
Whereas it is common for ransomware actors to regroup, rebrand, or disband their actions following such seizures, what may also occur is that the core builders can cross on the supply code and different infrastructure of their possession to a different menace actor.
Reviews about Hunters Worldwide as a doable Hive rebrand surfaced final month after a number of code similarities have been recognized between the 2 strains. It has since claimed 5 victims thus far.
The menace actors behind it, nevertheless, have sought to dispel these speculations, stating that it bought the Hive supply code and web site from its builders.
“The group seems to position a larger emphasis on knowledge exfiltration,” Zugec stated. “Notably, all reported victims had knowledge exfiltrated, however not all of them had their knowledge encrypted,” making Hunters Worldwide extra of an information extortion group.
Bitdefender’s evaluation of the ransomware pattern reveals its Rust-based foundations, a reality borne out by Hive’s transition to the programming language in July 2022 for its elevated resistance to reverse engineering.
“Generally, as the brand new group adopts this ransomware code, it seems that they’ve aimed for simplification,” Zugec stated.
“They’ve decreased the variety of command line parameters, streamlined the encryption key storage course of, and made the malware much less verbose in comparison with earlier variations.”
The ransomware, in addition to incorporating an exclusion checklist of file extensions, file names, and directories to be omitted from encryption, runs instructions to stop knowledge restoration in addition to terminate a lot of processes that might probably intervene with the method.
“Whereas Hive has been one of the harmful ransomware teams, it stays to be seen if Hunters Worldwide will show equally or much more formidable,” Zugec famous.
“This group emerges as a brand new menace actor beginning with a mature toolkit and seems keen to indicate its capabilities, [but] faces the duty of demonstrating its competence earlier than it might appeal to high-caliber associates.”