Ransomware Resurrection: Hive Strikes Back as Hunters International in a Dramatic Data Theft Twist

Like a soap opera villain, Hive ransomware has made a dramatic comeback under a new identity – Hunters International. This rebranding isn’t just a name change; instead, it’s a strategic shift from encrypting victims’ endpoints to data theft. With over 60% of the code overlapping Hive’s, it’s hard to deny the uncanny resemblance. Let the plot thicken!

Hot Take:

Well, well, well, look who’s back! It’s like a classic soap opera twist – Hive, the bad boy of ransomware, might have just returned under a new name. And much like any soap opera villain, he’s not here to play nice. Instead, he’s taken on a new identity as Hunters International, and he’s got a focus on data theft. So, just when you thought you had seen the last of Hive, he pulls a classic ‘it’s not what it looks like’ and makes a sneaky return. Let the drama ensue!

Key Points:

  • Hunters International, a new ransomware player, has a strikingly similar encryptor to Hive, suggesting that the notorious Hive may have rebranded.
  • The new group focuses more on data theft than encryption and has already compromised a UK school.
  • Hunters International claims to have bought not just the encryptor source code, but also the website and old Golang and C version, even fixing bugs that came with Hive’s encryptor.
  • Hive’s operations were terminated by law enforcement earlier this year, with its Tor payment and data leak site confiscated.
  • The FBI infiltrated Hive’s network of 250 affiliates, gathering intelligence, mapping the group out, and eventually handing out a decryption key to more than 1,300 victims.

Need to know more?

Ransomware Reincarnation

Remember Hive, the infamous ransomware operator? It seems he's pulled a software resurrection stunt and may be operating under a new guise, Hunters International. But unlike your usual rebranding, this isn't about a new logo or a fresher website. It's more about a shift in focus from encrypting victims' endpoints to data theft. Such a pivot!

The Plot Thickens

The plot thickens when you realize that the Hunters International's encryptor is eerily similar to Hive's. In fact, more than 60% of the code overlaps with that of Hive ransomware. Some eagle-eyed researchers even managed to pinpoint it down to the exact version of Hive that was rebranded - version 6.

Denial, Denial, Denial!

But Hunters International is playing the innocent card, claiming they bought the encryptor source code, the website, and an old Golang and C version. They even put a cherry on top by claiming that they fixed a few bugs that came with Hive’s encryptor. Talk about a good Samaritan!

Law Enforcement vs Ransomware

Just when we thought Hive was history, its possible resurrection brings back memories of its notorious past. Earlier this year, law enforcement confiscated Hive's Tor payment and data leak site, terminating its operations. The FBI managed to infiltrate Hive's network of 250 affiliates, keeping a low profile for six months while gathering intelligence and mapping the group out. This resulted in a decryption key handed out to over 1,300 victims.

So, while Hunters International might be the new kid on the block, it's clear they've learnt from Hive's mistakes. Most ransomware groups these days are avoiding targeting critical infrastructure organizations, state organizations, or healthcare institutions, to avoid the wrath of the police. Well, at least they're learning something, right?

Tags: data theft, Encryption Source Code, FBI Infiltration, Hive, Hunters International, Law Enforcement, Ransomware Operators