Cybersecurity company Forescout has released a threat briefing that deconstructs the tactics and procedures used by Hunters International, showing how the group exploits victims’ networks, breaking down the group’s main industry targets, and shares analysis on detection opportunities to prevent similar breaches.
From leaking US Marshals and FBI data to extorting Chinese bank, ICBC, in London, Hunters International is a highly active and lucrative ransomware service.
Known for its adaptable design, Hunters International ransomware is written in Rust, which enables it to bypass detection, accelerate encryption and ensure cross-platform compatibility. The malware shares code similarities with Hive ransomware but improves upon Hive’s design by streamlining command-line options and optimizing key management. Notably, it embeds encryption keys within the encrypted files, a technique that complicates decryption while simplifying the recovery process for victims who pay the ransom.
In a new threat briefing, Forescout analyses an incident where attackers exploited a public-facing Oracle Web Server to gain initial access to a victim’s network. Following this, they conducted reconnaissance and lateral movement using commodity tools, exfiltrated sensitive data, disabled data recovery options, and finally encrypted files using the Hunters International encrypter. The full threat briefing also provides malware analysis and recommendations for detecting, mitigating, and hunting for this type of activity.
Since first emerging in October 2023, Hunters International has claimed over 200 victims. In November 2024 alone, the group claimed 24 victim organizations, an average of nearly one per day.
You can read the full briefing here.
