1. Overview
Hunters International, often referred to simply as Hunters, is a financially motivated ransomware group that emerged in late 2023. Operating a structured Ransomware-as-a-Service (RaaS) model, Hunters offers its platform to affiliates while managing infrastructure, data leak portals, and ransom negotiations.
Hunters is believed to be the successor to the Hive ransomware operation, which was dismantled by law enforcement in early 2023. Malware analysis reveals shared codebases, encryption methods, and operational workflows that strongly suggest continuity. The group employs double extortion tactics, exfiltrating sensitive data before encrypting networks, and threatening public disclosure to pressure victims into paying.
2. Origin and Evolution
Following the takedown of Hive by an international coalition led by the FBI, remnants of the group re-emerged under the banner of Hunters International. The new group adopted updated infrastructure, rebranded their malware, and launched a new leak site on the dark web. Forensic links to Hive include similarities in ransomware locker design, TOR negotiation portals, and encryption routines.
Hunters has been observed refining its approach, adopting more tailored targeting and expanding capabilities to impact both Windows and Linux, including VMware ESXi environments.
3. Tactics, Techniques, and Procedures (TTPs)
Hunters follows a playbook common to many modern ransomware groups, but with a focus on stealth, persistence, and careful targeting. Key techniques include:
- Initial Access:
Exploitation of known vulnerabilities in public-facing applications (T1190), credential brute force (T1110.001), and phishing emails (T1566.001). - Lateral Movement:
Use of tools such as Cobalt Strike, Mimikatz, and RDP for network traversal and privilege escalation (T1021, T1055). - Data Exfiltration:
Hunters affiliates use WinSCP, Rclone, and custom scripts to exfiltrate large volumes of data before encryption (T1041). - Encryption:
Strong AES + RSA encryption is deployed using custom payloads, with the ransomware configured to avoid encrypting critical system files to preserve operability. - Persistence & Evasion:
Living-off-the-land binaries (LOLBins), anti-forensic routines, and process termination tactics help avoid detection and hinder recovery efforts.
4. Targeting Profile
Hunters International adopts a sector-agnostic approach, targeting organisations based on opportunity, value of stolen data, and likelihood of ransom payment. High-profile targeting to date has included:
- Healthcare and medical institutions
- Legal services and law firms
- Public sector organisations and local councils
- Educational institutions and universities
- Financial Services and Banking
UK-based firms, especially those holding regulated or sensitive data, are at heightened risk. Organisations with poor segmentation, weak remote access controls, or outdated infrastructure are often prime candidates.
5. Notable Campaigns and Victims
While Hunters does not have the same media presence as LockBit or Cl0p, their dark web leak site features victims across Europe, North America, and Asia. Known breaches include:
- A healthcare provider in Central Europe with over 2TB of patient data exfiltrated
- A UK-based law firm handling class action lawsuits
- A North American educational body with student and faculty records leaked
Victim data is typically published in stages, escalating pressure on non-compliant organisations.
6. Ransomware and Leak Site Behaviour
Hunters operates a professionalised leak portal on the dark web, showcasing compromised data in a tiered release format. The group’s double extortion model follows this pattern:
- Data is stolen prior to encryption
- Systems are encrypted, and a ransom note is left with TOR contact links
- Victims engage via a secure portal with countdowns and live chat functionality
- Data is leaked incrementally if negotiations fail
The tone of negotiation is typically professional, though the group has used aggressive messaging in cases involving regulatory data.
7. Technical Indicators
Although Hunters’ payloads evolve rapidly, common indicators include:
- File extensions ending in
.huntersor.HUNTERS - Presence of
rclone.exe,winscp.exe, and7zip.exein unusual directories - Registry modifications disabling recovery features and security tools
- Outbound traffic to command-and-control infrastructure hosted in Russia, Germany, or Panama
YARA rules and full IOC packs are available to UK Cyber Defence Ltd clients upon request.
8. Defensive Measures and Recommendations
To mitigate the risk of Hunters ransomware, UK organisations are advised to:
- Deploy MFA on all external-facing services
- Monitor and restrict RDP and SMB access
- Ensure EDR/XDR tools are active and configured to detect living-off-the-land behaviours
- Back up critical data offline and test restoration procedures regularly
- Apply patches for known exploited vulnerabilities, particularly VPN appliances, Exchange servers, and web platforms
- Train staff to detect spear-phishing and impersonation tactics
9. Attribution and Alliances
While direct attribution remains unconfirmed, significant overlaps with Hive suggest Hunters International was either created by or includes former Hive operators. No nation-state affiliation has been observed. The group appears to be motivated solely by profit and has adopted a tight operational security posture to avoid law enforcement disruption.
10. Conclusion
Hunters International represents a technically capable and strategically quiet ransomware threat. Its post-Hive structure, double extortion tactics, and focus on sectors with sensitive data make it a high-priority concern for UK organisations. Proactive detection, segmentation, and resilience planning are critical to withstanding a potential Hunters attack.
Author:
Threat Intelligence Team, UK Cyber Defence Ltd
All intelligence current as of May 2025
