In a landmark operation in early 2023, the FBI, along with German and Dutch authorities, dismantled Hive, a prolific ransomware group. This collective had extorted over $100 million since June 2021, targeting a wide range of sectors. The FBI’s operation infiltrated Hive’s network over seven months, obtaining decryption keys for over 300 recent victims and an additional 1,000 keys for previous victims. This effort saved around $130 million in potential ransom payments. However, no arrests were made, and the dismantling of Hive’s infrastructure left a void in the ransomware landscape. Hunters International, another ransomware group, appeared soon after Hive’s fall, initially suspected of being a rebranded version of Hive. However, investigations revealed otherwise.
How is Hunters International Different From Hive?
While Hunters International has a 60% code overlap with Hive, the ransomware group has made key changes to the traditional Hive MO. To begin with, Hunters International has simplified Hive’s encryption method. They embed the encryption key within the encrypted files, using a ChaCha20-Poly1305 and RSA OAEP combination, unlike Hive’s more complex key generation and storage process. The group streamlined Hive’s extensive command-line arguments, indicating an effort to simplify operations. This change could enhance the malware’s usability for attackers. A significant aspect of their operation involves aggressive attacks on backup and recovery systems, notably targeting the Shadow Copy service, to undermine data recovery efforts. This new group, equipped with Hive’s advanced toolkit and an opportunistic approach, poses a significant challenge. Their focus on data exfiltration represents a shift in ransomware tactics, prioritizing data theft over mere encryption.
Versatility of Ransomware Groups in Utilizing Others’ Source Code
One of the most striking aspects of modern ransomware operations, as demonstrated by the situation with Hive and Hunters International, is the versatility and adaptability of ransomware groups, particularly in their use of other groups’ source codes. By acquiring Hive’s source code and infrastructure, Hunters International demonstrated how ransomware groups can rapidly evolve and sustain their operations, even after major law enforcement disruptions. Below are some key points on ransomware code sharing and adaptation, and how it allows ransomware groups to evolve and rapidly become more powerful.
- Resource Acquisition and Adaptation: Ransomware groups often acquire resources from dismantled groups, not just for convenience, but also to capitalize on the established reputation and proven effectiveness of existing tools. This approach allows them to hit the ground running with a mature and tested toolkit.
- Strategic Evolution: The use of another group’s source code isn’t merely a copy-paste endeavor. Groups like Hunters International strategically evolve and adapt the code to suit their specific operational goals and tactics, as seen in their shift from data encryption to data exfiltration.
- Rapid Deployment and Learning Curve: Leveraging existing ransomware code reduces the development time and technical learning curve. This enables new or rebranded groups to deploy sophisticated attacks much faster than if they were developing their tools from scratch.
- Collaborative and Competitive Nature: The ransomware ecosystem operates both collaboratively and competitively. While groups may share, sell, or acquire code, they also compete for targets and reputation within the dark web community. This dynamic fosters continuous innovation and adaptation among these groups.
- Challenge for Cybersecurity: This trend poses a significant challenge for cybersecurity professionals and organizations. The ability of ransomware groups to quickly adapt and evolve using existing resources means that defense strategies must be equally agile and proactive, focusing on both prevention and rapid response to emerging threats.
Mitigating Ransomware Risks
- Advanced Security Measures: Organizations should adopt comprehensive ransomware mitigation solutions, extending beyond conventional backup strategies.
- Network Segmentation and Regular Audits: Segmentation can limit internal movement post-breach, while routine security audits help identify and fix vulnerabilities.
- Access Control and Employee Training: Regular access reviews and employee awareness programs are crucial to prevent unauthorized data access and recognize phishing attempts.
Conclusion
In conclusion, the use of other groups’ source code by ransomware entities like Hunters International underscores the need for continuous vigilance and adaptation in cybersecurity strategies. With the popularity of ransomware comes constant innovation, and the existence of groups like Hunters International that are able to constantly build off of existing ransomware strategy requires a constantly adapting field of network defenders.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
https://www.netizen.net/contact
