Introduction
In the second half of 2023, a ransomware group known as “Hunters International” gained widespread attention. Not only did the group rise rapidly to become one of the top ten most active ransomware groups in a short period of time, but by September 2024, it also claimed to have breached the London branch of a certain bank, stealing over 5.2 million files.
This report aims to provide a comprehensive analysis of Hunters International by examining its organizational structure, attack activities, tactics and techniques used, and its connections with other ransomware groups. By uncovering the truth behind the group, we hope to raise awareness and encourage organizations to enhance their vigilance and strengthen their defenses.
Characteristics of victim distribution:
- Victims span across multiple industries globally, covering a wide geographic area.
- Primary targets are in the United States, but attacks also spread to Canada, South America, Europe, Oceania, and several countries in Asia.
- The group targets not only commercial companies but also public sectors such as healthcare and education.
- There is no clear selectivity in their targets; they cast a wide net and rely on luck.
- They prefer to strike at vulnerable entities that are difficult to counter through legal means.
- Notable victims include U.S. military contractors and healthcare institutions, demonstrating the group’s ruthless approach
Technical Analysis
Team Structure
Leadership
Analysis of leaked chat logs and hacker forum posts suggests that Hunters International is led by a prominent hacker named Mikhail Matveev. Matveev is proficient in multiple programming languages and is a seasoned figure in the ransomware field.
The U.S. Department of Justice indicted Matveev in May 2023 for his role in developing and spreading ransomware such as Babuk and Hive. Although Matveev denies playing a central role, leaked information indicates that he was, in fact, a key player behind the scenes.
There are signs that Matveev may be connected to notorious cybercrime organizations like Evil Corp and may even be protected. These networks provide him with ample resources and protection.
Technical Core
Under Matveev’s leadership, Hunters International has recruited a team of technical experts, including experienced veteran hackers. Analysis shows that at least six members are responsible for carrying out penetration attacks:
- “777”: specializes in exploiting public application vulnerabilities.
- “bobr.kurwa”: supply chain attack expert.
- “krbtgt”: skilled in privilege escalation and internal network penetration.
- “shokoladniy_zayac”: ransomware developer.
- “WhyNot”: data theft specialist.
- “dushnila”: proficient with tools like Cobalt Strike for penetration.
These core members excel in their respective areas, forming a highly coordinated attack team. Notably, they follow a “flat management” principle, where members are equal, and revenue is distributed based on contributions. This encourages motivation and accelerates development speed.
Attack Incidents
Government Attack
In April 2022, the Conti ransomware group claimed to have launched a devastating cyberattack on a certain government, crippling multiple departments for months. Sources revealed that Wazawaka was involved in planning the attack.
Bank’s London Branch
In August 2024, Hunters International claimed to have breached the system of a bank’s London branch, stealing over 5.2 million files totaling 6.6 TB of data. They threatened to release the data publicly if the bank did not pay the ransom by September 13.
This is the group’s largest reported attack to date. The bank is the largest commercial bank in its country and the highest-valued bank in the world, making this breach a significant blow to its reputation and business.
Notably, Hunters International has never attacked organizations headquartered in CIS countries, possibly reflecting the complex geopolitical environment in which they operate.
Ransomware Links
Hive
Multiple security companies have pointed out that Hunters International’s ransomware code closely matches Hive’s, leading to suspicions that it is a reincarnation of Hive. Hive was one of the most notorious ransomware groups until it was dismantled by law enforcement in January 2023.
Wazawaka admitted that their ransomware is based on Hive’s source code, which they purchased, and they have since improved it by fixing bugs in the encryption process that could prevent files from being recovered.
Hunters International’s extortion tactics are nearly identical to Hive’s: they first steal data and then encrypt files, applying double pressure on victims. Attacks often begin with RDP intrusions or spear phishing, followed by lateral movement and privilege escalation using Cobalt Strike.
Darkside/BlackMatter/AlphaV
Wazawaka has claimed on forums that he once collaborated with the operators of the infamous Darkside ransomware. Darkside gained notoriety for its 2021 attack on the U.S. Colonial Pipeline.
After Darkside disbanded, its members formed BlackMatter. Interestingly, Wazawaka’s group, Groove, provided server resources to BlackMatter, suggesting a business relationship between the two.
When BlackMatter dissolved, some of its members went on to form AlphaV, which continued Darkside’s focus on targeting critical infrastructure, such as military facilities in Eastern Europe before the Russo-Ukrainian War.
Tactics, Techniques, and Procedures (TTPs)
Resource Development
Hunters International places great emphasis on talent recruitment and technical accumulation, absorbing key members from other ransomware groups and building an internal knowledge base. Leaked chat logs reveal that the team includes at least six penetration testing experts.
Reconnaissance
The group collects various forms of publicly available information about targets, such as IP addresses and domain names. They sometimes purchase access credentials or internal data on the dark web to better understand internal network topologies.
Initial Access
Common initial access methods used by Hunters International include:
- Disguising malicious software on phishing websites mimicking legitimate tools like AngryIP.
- Spear-phishing emails that trick users into opening malicious attachments.
- Exploiting weak passwords or software vulnerabilities in public services like RDP.
- Supply chain attacks.
- Social engineering and exploiting vulnerable public-facing applications.
Execution
Once inside the internal network, they typically use Cobalt Strike to execute shellcode, download additional malware, and establish persistence using system functions.
Command and Control (C2)
Their C2 communication methods include HTTP(S) and DNS tunneling. They frequently change C2 domains, route traffic through cloud services, and encrypt C2 information using multiple layers, communicating with C2 servers over HTTPS via Cloudflare Workers.
Privilege Escalation
The group is highly familiar with Windows domain environments and permission structures. They collect credentials for domain administrators and service accounts using tools like Mimikatz and LaZagne to extract credentials from memory and browsers. They also exploit privilege escalation vulnerabilities in operating systems and software to gain system-level permissions.
Impact
Before deploying ransomware, they often destroy backups to prevent recovery and erase logs using anti-forensics tools.
Their ransomware encrypts files using RSA and ChaCha20-Poly1305 encryption algorithms.
In addition to encrypting files, Hunters International steals sensitive data from victims and threatens to publicly release it, putting additional pressure on the victims. The stolen data often includes business secrets and personal information, severely damaging the victims’ reputations.
Toolkit
Their typical toolkit includes:
- SharpRhino RAT: used for initial infection and persistence.
- Mimikatz: to extract Windows credentials.
- Custom ransomware: typically written in Rust to encrypt files.
- Tor: for anonymously leaking stolen data.
Operational Security (OPSEC)
Hunters International places significant emphasis on concealing identities and protecting their infrastructure. The following are some key operational security (OPSEC) measures they employ:
- Codenames and Privacy Protection: All members use codenames and never disclose their real identities. Even in private conversations, they are extremely cautious to avoid revealing any personal details that could compromise their anonymity. This high level of secrecy effectively prevents their true identities from being exposed.
- Domain and Infrastructure Concealment: When registering domains, Hunters International uses fake identity information and frequently changes domain registrars to prevent tracking. Their Command and Control (C2) infrastructure is hosted in countries with strong privacy protections, making it difficult for servers to be traced or seized.
- Encrypted Communication and Information Relay: The group uses end-to-end encryption tools like PGP and OTR to secure communications. Sensitive information is never transmitted directly; it is first encrypted and then relayed through multiple intermediaries to further obscure the origins and paths of the communication.
- Financial Transactions via Cryptocurrency: Hunters International relies on privacy-focused cryptocurrencies like Monero to handle financial transactions, which are notoriously difficult to trace. The proceeds from their attacks go through several layers of “mixing” to launder the funds before they are converted into traditional currencies, making it nearly impossible to track the money trail.
- Obfuscation and Hardening of Code: Their malware and associated code are heavily obfuscated with multiple layers of encryption and packing. Additionally, their Command and Control (C2) communication protocols are intricately designed, significantly complicating reverse engineering efforts and traffic analysis. This approach ensures their tools and infrastructure remain secure from law enforcement and cybersecurity researchers.
Thanks to these meticulous OPSEC practices, Hunters International is able to continue its activities under the radar of law enforcement agencies, making it an elusive and formidable threat.
Conclusion
Reflecting on the rapid rise and operations of Hunters International, it’s clear that their emergence as a significant player in the ransomware world is due to several key factors:
- Advanced Attack Techniques: They are especially adept at quickly exploiting newly discovered critical vulnerabilities.
- Tight Collaboration and Coordination: Each member has a specific skill set and works in harmony with others, ensuring smooth execution of their operations.
- Deep Connections in the Cybercriminal Underworld: With strong ties to established hackers, they are skilled at recruiting talent and acquiring valuable resources.
As a new ransomware group, Hunters International has inherited and perfected the “traditions” of earlier ransomware organizations. However, they go beyond just technical prowess; they strategically exploit geopolitical tensions, becoming proxies for certain powers projecting influence in cyberspace. This makes them a unique threat to global cybersecurity, where the challenge extends beyond just technology to include complex geopolitical entanglements.
Addressing such threats requires a multifaceted approach, not just technical countermeasures. Legal and diplomatic measures must be enhanced, increasing international cooperation to combat transnational cybercrime. In addition, efforts must focus on reducing the fertile ground for countries to use cybercriminals as instruments of geopolitical rivalry. Only through legal, diplomatic, and cooperative actions can a secure, open, and peaceful cyberspace be maintained.
digiDations
In response to this threat, digiDations CyberSecurity Valitaion Platform has integrated specific attack simulation rules related to Hunters International. You can search for “Hunters International” on the platform to access validation actions related to this threat group. These simulated attacks allow you to validate whether your security defenses can effectively counter this group’s tactics. digiDations CyberSecurity Valitaion Platform uses an unique approach to ensure that your validation process is safe and non-disruptive.