The menace actors behind a brand new ransomware group referred to as Hunters Worldwide have acquired the supply code and infrastructure from the now-dismantled Hive operation to kick-start its personal efforts within the menace panorama.
“It seems that the management of the Hive group made the strategic choice to stop their operations and switch their remaining property to a different group, Hunters Worldwide,” Martin Zugec, technical options director at Bitdefender, stated in a report printed final week.
Hive, as soon as a prolific ransomware-as-a-service (RaaS) operation, was taken down as a part of a coordinated regulation enforcement operation in January 2023.
Whereas it is common for ransomware actors to regroup, rebrand, or disband their actions following such seizures, what also can occur is that the core builders can cross on the supply code and different infrastructure of their possession to a different menace actor.
Experiences about Hunters Worldwide as a potential Hive rebrand surfaced final month after a number of code similarities have been recognized between the 2 strains. It has since claimed 5 victims up to now.
The menace actors behind it, nevertheless, have sought to dispel these speculations, stating that it bought the Hive supply code and web site from its builders.
“The group seems to put a higher emphasis on knowledge exfiltration,” Zugec stated. “Notably, all reported victims had knowledge exfiltrated, however not all of them had their knowledge encrypted,” making Hunters Worldwide extra of a knowledge extortion group.
Bitdefender’s evaluation of the ransomware pattern reveals its Rust-based foundations, a reality borne out by Hive’s transition to the programming language in July 2022 for its elevated resistance to reverse engineering.
“On the whole, as the brand new group adopts this ransomware code, it seems that they’ve aimed for simplification,” Zugec stated.
“They’ve decreased the variety of command line parameters, streamlined the encryption key storage course of, and made the malware much less verbose in comparison with earlier variations.”
The ransomware, apart from incorporating an exclusion checklist of file extensions, file names, and directories to be omitted from encryption, runs instructions to stop knowledge restoration in addition to terminate a variety of processes that would doubtlessly intervene with the method.
“Whereas Hive has been one of the harmful ransomware teams, it stays to be seen if Hunters Worldwide will show equally or much more formidable,” Zugec famous.
“This group emerges as a brand new menace actor beginning with a mature toolkit and seems keen to point out its capabilities, [but] faces the duty of demonstrating its competence earlier than it may possibly entice high-caliber associates.”