Introduction

In the second half of 2023, a ransomware group known as “Hunters International” gained widespread attention. Not only did the group rise rapidly to become one of the top ten most active ransomware groups in a short period of time, but by September 2024, it also claimed to have breached the London branch of a certain bank, stealing over 5.2 million files.

This report aims to provide a comprehensive analysis of Hunters International by examining its organizational structure, attack activities, tactics and techniques used, and its connections with other ransomware groups. By uncovering the truth behind the group, we hope to raise awareness and encourage organizations to enhance their vigilance and strengthen their defenses.

Characteristics of victim distribution:

Technical Analysis

Team Structure

Leadership

Analysis of leaked chat logs and hacker forum posts suggests that Hunters International is led by a prominent hacker named Mikhail Matveev. Matveev is proficient in multiple programming languages and is a seasoned figure in the ransomware field.

The U.S. Department of Justice indicted Matveev in May 2023 for his role in developing and spreading ransomware such as Babuk and Hive. Although Matveev denies playing a central role, leaked information indicates that he was, in fact, a key player behind the scenes.

There are signs that Matveev may be connected to notorious cybercrime organizations like Evil Corp and may even be protected. These networks provide him with ample resources and protection.

Technical Core

Under Matveev’s leadership, Hunters International has recruited a team of technical experts, including experienced veteran hackers. Analysis shows that at least six members are responsible for carrying out penetration attacks:

These core members excel in their respective areas, forming a highly coordinated attack team. Notably, they follow a “flat management” principle, where members are equal, and revenue is distributed based on contributions. This encourages motivation and accelerates development speed.

Attack Incidents

Government Attack

In April 2022, the Conti ransomware group claimed to have launched a devastating cyberattack on a certain government, crippling multiple departments for months. Sources revealed that Wazawaka was involved in planning the attack.

Bank’s London Branch

In August 2024, Hunters International claimed to have breached the system of a bank’s London branch, stealing over 5.2 million files totaling 6.6 TB of data. They threatened to release the data publicly if the bank did not pay the ransom by September 13.

This is the group’s largest reported attack to date. The bank is the largest commercial bank in its country and the highest-valued bank in the world, making this breach a significant blow to its reputation and business.

Notably, Hunters International has never attacked organizations headquartered in CIS countries, possibly reflecting the complex geopolitical environment in which they operate.

Ransomware Links

Hive

Multiple security companies have pointed out that Hunters International’s ransomware code closely matches Hive’s, leading to suspicions that it is a reincarnation of Hive. Hive was one of the most notorious ransomware groups until it was dismantled by law enforcement in January 2023.

Wazawaka admitted that their ransomware is based on Hive’s source code, which they purchased, and they have since improved it by fixing bugs in the encryption process that could prevent files from being recovered.

Hunters International’s extortion tactics are nearly identical to Hive’s: they first steal data and then encrypt files, applying double pressure on victims. Attacks often begin with RDP intrusions or spear phishing, followed by lateral movement and privilege escalation using Cobalt Strike.

Darkside/BlackMatter/AlphaV

Wazawaka has claimed on forums that he once collaborated with the operators of the infamous Darkside ransomware. Darkside gained notoriety for its 2021 attack on the U.S. Colonial Pipeline.

After Darkside disbanded, its members formed BlackMatter. Interestingly, Wazawaka’s group, Groove, provided server resources to BlackMatter, suggesting a business relationship between the two.

When BlackMatter dissolved, some of its members went on to form AlphaV, which continued Darkside’s focus on targeting critical infrastructure, such as military facilities in Eastern Europe before the Russo-Ukrainian War.

Tactics, Techniques, and Procedures (TTPs)

Resource Development

Hunters International places great emphasis on talent recruitment and technical accumulation, absorbing key members from other ransomware groups and building an internal knowledge base. Leaked chat logs reveal that the team includes at least six penetration testing experts.

Reconnaissance

The group collects various forms of publicly available information about targets, such as IP addresses and domain names. They sometimes purchase access credentials or internal data on the dark web to better understand internal network topologies.

Initial Access

Common initial access methods used by Hunters International include:

Execution

Once inside the internal network, they typically use Cobalt Strike to execute shellcode, download additional malware, and establish persistence using system functions.

Command and Control (C2)

Their C2 communication methods include HTTP(S) and DNS tunneling. They frequently change C2 domains, route traffic through cloud services, and encrypt C2 information using multiple layers, communicating with C2 servers over HTTPS via Cloudflare Workers.

Privilege Escalation

The group is highly familiar with Windows domain environments and permission structures. They collect credentials for domain administrators and service accounts using tools like Mimikatz and LaZagne to extract credentials from memory and browsers. They also exploit privilege escalation vulnerabilities in operating systems and software to gain system-level permissions.

Impact

Before deploying ransomware, they often destroy backups to prevent recovery and erase logs using anti-forensics tools.

Their ransomware encrypts files using RSA and ChaCha20-Poly1305 encryption algorithms.

In addition to encrypting files, Hunters International steals sensitive data from victims and threatens to publicly release it, putting additional pressure on the victims. The stolen data often includes business secrets and personal information, severely damaging the victims’ reputations.

Toolkit

Their typical toolkit includes:

Operational Security (OPSEC)

Hunters International places significant emphasis on concealing identities and protecting their infrastructure. The following are some key operational security (OPSEC) measures they employ:

  1. Codenames and Privacy Protection: All members use codenames and never disclose their real identities. Even in private conversations, they are extremely cautious to avoid revealing any personal details that could compromise their anonymity. This high level of secrecy effectively prevents their true identities from being exposed.
  2. Domain and Infrastructure Concealment: When registering domains, Hunters International uses fake identity information and frequently changes domain registrars to prevent tracking. Their Command and Control (C2) infrastructure is hosted in countries with strong privacy protections, making it difficult for servers to be traced or seized.
  3. Encrypted Communication and Information Relay: The group uses end-to-end encryption tools like PGP and OTR to secure communications. Sensitive information is never transmitted directly; it is first encrypted and then relayed through multiple intermediaries to further obscure the origins and paths of the communication.
  4. Financial Transactions via Cryptocurrency: Hunters International relies on privacy-focused cryptocurrencies like Monero to handle financial transactions, which are notoriously difficult to trace. The proceeds from their attacks go through several layers of “mixing” to launder the funds before they are converted into traditional currencies, making it nearly impossible to track the money trail.
  5. Obfuscation and Hardening of Code: Their malware and associated code are heavily obfuscated with multiple layers of encryption and packing. Additionally, their Command and Control (C2) communication protocols are intricately designed, significantly complicating reverse engineering efforts and traffic analysis. This approach ensures their tools and infrastructure remain secure from law enforcement and cybersecurity researchers.

Thanks to these meticulous OPSEC practices, Hunters International is able to continue its activities under the radar of law enforcement agencies, making it an elusive and formidable threat.

Conclusion

Reflecting on the rapid rise and operations of Hunters International, it’s clear that their emergence as a significant player in the ransomware world is due to several key factors:

  1. Advanced Attack Techniques: They are especially adept at quickly exploiting newly discovered critical vulnerabilities.
  2. Tight Collaboration and Coordination: Each member has a specific skill set and works in harmony with others, ensuring smooth execution of their operations.
  3. Deep Connections in the Cybercriminal Underworld: With strong ties to established hackers, they are skilled at recruiting talent and acquiring valuable resources.

As a new ransomware group, Hunters International has inherited and perfected the “traditions” of earlier ransomware organizations. However, they go beyond just technical prowess; they strategically exploit geopolitical tensions, becoming proxies for certain powers projecting influence in cyberspace. This makes them a unique threat to global cybersecurity, where the challenge extends beyond just technology to include complex geopolitical entanglements.

Addressing such threats requires a multifaceted approach, not just technical countermeasures. Legal and diplomatic measures must be enhanced, increasing international cooperation to combat transnational cybercrime. In addition, efforts must focus on reducing the fertile ground for countries to use cybercriminals as instruments of geopolitical rivalry. Only through legal, diplomatic, and cooperative actions can a secure, open, and peaceful cyberspace be maintained.

digiDations

In response to this threat, digiDations CyberSecurity Valitaion Platform has integrated specific attack simulation rules related to Hunters International. You can search for “Hunters International” on the platform to access validation actions related to this threat group. These simulated attacks allow you to validate whether your security defenses can effectively counter this group’s tactics. digiDations CyberSecurity Valitaion Platform uses an unique approach to ensure that your validation process is safe and non-disruptive.