⚠️ Overview

Hunters International is a ransomware family first observed in July 2023 by threat intelligence firms including Trend Micro and the NCC Group. It is operated by a financially motivated cybercriminal group that shares code similarities with the defunct Hive ransomware, suggesting either a rebrand or a code fork. The malware is categorized as Ransomware-as-a-Service (RaaS) with data-theft extortion capabilities, and its operators maintain a leak site on the Tor network where stolen data is published if ransoms are not paid.

🔧 Technical Capabilities

The ransomware is primarily written in the Rust programming language, offering cross-platform compatibility and resilience against reverse engineering. Hunters International propagates via compromised RDP sessions, VPN vulnerabilities, and phishing emails containing malicious attachments or links. Its attack chain uses living-off-the-land binaries (LOLBins) such as PowerShell and Cobalt Strike beacons for lateral movement and privilege escalation. Persistence is achieved via scheduled tasks and registry run keys. The ransomware employs AES-256 combined with RSA-4096 encryption, and appends the extension .locked to encrypted files. Evasion techniques include disabling Windows Defender, deleting volume shadow copies, and using process hollowing to avoid detection. The command-and-control (C2) infrastructure relies on HTTPS-encrypted communications with dynamic domain generation (DGA) for resilience.

📜 History & Notable Incidents

First publicly reported in July 2023, Hunters International rapidly targeted healthcare, education, and manufacturing sectors in North America and Europe. Notable victims include a U.S. healthcare provider that experienced a data breach affecting over 1.5 million patients, as reported by HIPAA Journal. In October 2023, the group exploited a zero-day vulnerability in a major VPN appliance (CVE-2023-46805, later attributed to Ivanti) to gain initial access. No confirmed law enforcement takedowns have occurred as of early 2025, though the group’s leak site was intermittently offline in late 2024.

🔍 Detection Indicators

Known file hashes include SHA256 a1b2c3d4e5f6... (specific hashes vary per campaign; refer to CISA’s known IOC repository). Behavioral signatures include the creation of a ransom note named README.hta in each encrypted directory and network traffic to IP addresses associated with bulletproof hosting providers. Registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun for persistence. Mutex names such as GlobalHuntersInternationalMutex have been observed in sandbox analysis. User-Agent strings used during C2 communication mimic legitimate browser traffic, e.g., Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36.

☠️ Risk & Impact

Hunters International causes dual extortion: data exfiltration and encryption. Stolen data is published on a dedicated leak site, leading to regulatory fines under GDPR and HIPAA. Financial losses in affected businesses range from hundreds of thousands to millions of dollars, with recovery costs including ransom payments, forensic investigation, and downtime. The healthcare sector has been disproportionately impacted, with patient care disruptions reported during multiple incidents.

🛡️ Mitigation

Organizations should implement multi-factor authentication (MFA) for remote access, patch VPN and RDP vulnerabilities promptly (including those tracked under MITRE ATT&CK technique T1190), and deploy endpoint detection and response (EDR) solutions with behavior-based detection rules for Rust binary execution. Regular offline backups and network segmentation reduce blast radius. The MITRE ATT&CK framework IDs associated include T1486 (Data Encrypted for Impact) and T1070.001 (Indicator Removal on Host).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.