Is Your Organization Safe From Hunters International Ransomware?

The origin of Hunters International ransomware

Hunters International emerged in late 2023 in what industry experts identified as an attempt to reignite ransomware code from a previously shut down cybercrime organization. That code was originally used by Hive, a destructive operation that extorted more than $100 million from some 1,500 victims.

Shortly after the FBI disrupted Hive, its operators passed their code on to a new group called Hunters International. The handoff was discovered by security researchers following a spate of new ransomware samples using remarkably similar source code.

Since then, the group has successfully compromised victims in at least two dozen countries.

^Sources:^TechCrunch^,^{U.S. Department of Justice}^,^Bitdefender

Targets

Hunters Ransomware's Targets

Countries targeted by Hunters Ransomware Group

As the name suggests, Hunters International targets organizations worldwide. At last count, the group has compromised victims in approximately 30 countries. From Canada to New Zealand, organizations are targeted more for their vulnerability and likelihood to pay a ransom than their locales. To date, the United States has experienced the most number of Hunters International victims.

^Sources:^{HIPAA Journal}^,^{Ransomware.live}

Industries targeted by Hunters Ransomware Group

Hunters International victims include organizations across a wide range of industries, from healthcare to manufacturing to the finance, education, and automotive sectors. This indiscriminate style means the group poses a significant risk to organizations of all sizes and industries.

Industries targeted by Hunters Ransomware Group

Hunters International victims include organizations across a wide range of industries, from healthcare to manufacturing to the finance, education, and automotive sectors. This indiscriminate style means the group poses a significant risk to organizations of all sizes and industries.

Hunters Ransomware’s victims

To date, 231 victims have fallen prey to Hunters International ransomware.

^Source:^{Ransomware.live}

Attack Method

Hunters Ransomware attack method

A shadowy figure casting a wide net over a digital landscape filled with various devices such as computers, smartphones, and tablets. The net symbolizes the attacker's attempts to find vulnerabilities or use phishing techniques to gain unauthorized access.

Hunters International typically gains access with social engineering and phishing campaigns designed to trick employees into downloading and executing malicious files. The group is also known for leveraging the Remote Desktop Protocol (RDP).

A digital ladder extending upwards from a basic user icon towards a crown symbolizing administrative privileges. This represents the attacker's efforts to gain higher-level access within the system.

In some instances, Hunters International impersonates legitimate port scanning programs to install malware and obtain IT employee access. Once inside the network, the group grants itself higher levels of admin access.

A chameleon blending into a digital background, with zeroes and ones flowing around it. This represents the attacker's ability to avoid detection by security measures, changing tactics to blend in with normal network traffic.

Hunters International evades detection by using seemingly legitimate methods to gain access and move laterally.

A thief with a lockpick toolkit working on a giant keyhole shaped like a login form, representing the attacker's efforts to steal user credentials to gain unauthorized access.

A magnifying glass moving over a digital map of a network, highlighting files, folders, and network connections. This image represents the phase where attackers explore the environment to understand the structure and where valuable data resides.

A series of interconnected nodes with a shadowy figure moving stealthily between them. This illustrates the attacker's movements within the network, seeking to gain control of additional systems or spread malware.

A large vacuum sucking up files, data icons, and folders into a bag held by a shadowy figure. This image symbolizes the process of gathering valuable data from the target network.

A command prompt window open in front of a digital background, with malicious code being typed out. This represents the phase where attackers execute their malicious payload within the compromised system.

Hunters International ransomware is written in Rust, a language favored for its resilience to reverse engineering and robust control over low-level resources.

A series of files being funneled through a covert channel out of a computer to a cloud labeled with a skull, symbolizing the unauthorized transfer of data to a location controlled by the attacker.

The malware encrypts files using a combination of different ciphers, embedding the encrypted key within each file. This approach simplifies the decryption process for victims who pay the ransom while complicating efforts to counteract the malware.

‍

A cracked screen with a digital cityscape in chaos behind it, symbolizing the destructive impact of the cyberattack, such as service disruption, data destruction, or financial loss.

Hunters International has been responsible for significant data breaches, financial losses, and lasting brand reputation damage.

Initial Access

Hunters International typically gains access with social engineering and phishing campaigns designed to trick employees into downloading and executing malicious files. The group is also known for leveraging the Remote Desktop Protocol (RDP).

Privilege Escalation

In some instances, Hunters International impersonates legitimate port scanning programs to install malware and obtain IT employee access. Once inside the network, the group grants itself higher levels of admin access.

Defense Evasion

Hunters International evades detection by using seemingly legitimate methods to gain access and move laterally.

Credential Access

Discovery

Lateral Movement

Collection

Execution

Hunters International ransomware is written in Rust, a language favored for its resilience to reverse engineering and robust control over low-level resources.

Exfiltration

The malware encrypts files using a combination of different ciphers, embedding the encrypted key within each file. This approach simplifies the decryption process for victims who pay the ransom while complicating efforts to counteract the malware.

‍

Impact

Hunters International has been responsible for significant data breaches, financial losses, and lasting brand reputation damage.

MITRE ATT&CK Mapping

TTPs used by Hunters Ransomware

TA0001: Initial Access

No items found.

TA0002: Execution

T1106

Native API

T1129

Shared Modules

TA0003: Persistence

T1547

Boot or Logon Autostart Execution

TA0004: Privilege Escalation

T1547

Boot or Logon Autostart Execution

TA0005: Defense Evasion

T1027

Obfuscated Files or Information

T1562

Impair Defenses

TA0006: Credential Access

No items found.

TA0007: Discovery

T1083

File and Directory Discovery

T1082

System Information Discovery

T1057

Process Discovery

TA0008: Lateral Movement

No items found.

TA0009: Collection

No items found.

TA0011: Command and Control

T1071

Application Layer Protocol

TA0010: Exfiltration

No items found.

TA0040: Impact

T1486

Data Encrypted for Impact

Platform Detections

How to Detect Hunters Ransomware with Vectra AI

Thousands of enterprise organizations rely on powerful AI-driven detections to find and stop attacks — before getting hit by a ransom note.

AWS Ransomware S3 Activity

M365 Ransomware

Ransomware File Activity

View more detections

Assess your attack exposure

FAQs

What is Hunters Ransomware?

Hunters International is a ransomware-as-a-service (RaaS) operation that emerged in late 2023. It’s known for targeting a wide range of industries across the globe.

‍

What is Hunters International's connection to Hive Ransomware?

Hive was a ransomware group taken down by the FBI in late 2023. Shortly after its operations were disrupted, security researchers identified a match between Hive’s code and the code used by a new ransomware group called Hunters International. This led to the theory that Hive sold its assets to Hunters International.

‍

What techniques does Hunters International use to compromise organizations?

Hunters International employs a double extortion strategy, combining data encryption with data exfiltration. They threaten to leak stolen data on their data leak site if ransom demands are not met.

What code does Hunters International use?

Hunters International ransomware is written in the Rust programming language, known for its efficiency and security features. Notably, the group has streamlined the encryption process by embedding encryption keys within encrypted files, using a combination of encryption methods.

‍

Which industries are targeted by Hunters International?

Demonstrating a non-discriminatory approach, Hunters International has targeted organizations across various sectors, including the healthcare, automotive, manufacturing, logistics, financial, educational, and food industries.

What countries are targeted by Hunters International?

Hunters International, as the name suggests, has a global reach. Victims have been identified in France, Germany, Australia, Brazil, Canada, Japan, Namibia, New Zealand, Spain, the United Kingdom, and the United States — plus many more countries. This opportunistic targeting strategy underscores their focus on exploiting vulnerabilities across a wide range of industries and regions.

What are the implications of a Hunters International attack?

Hunters International victims face significant losses, both financially and in terms of reputation. For example: In September 2024, Hunters International claimed responsibility for breaching the London branch of the Industrial and Commercial Bank of China (ICBC). The group stole more than 5.2 million files and swiped 6.6 TB of data.

How can organizations detect and respond to Hunters International attacks?

Organizations can enhance detection and response capabilities by implementing a strong AI-driven threat detection platform. This equips SOC teams with the intel they need to find and stop ransomware activities in real time.

‍

What are the best ways to prevent a Hunters International attack?

To mitigate the threat posed by Hunters International and similar ransomware groups, cybersecurity professionals should conduct regular backups, train employees to recognize phishing attacks, and ensure all systems and software are up-to-date with the latest patches. In addition, AI-driven detections help identify attackers post-compromise, before they can launch ransomware.

How many organizations have already been impacted by Hunters International?

At last count, 231 organizations had been hit by Hunters ransomware. This includes 123 attacks in the U.S. alone.

Is Your Organization Safe From Hunters International Ransomware?

Assess your attack exposure