One of the most dangerous ransomware kits around might have just gotten a rebrand

Is Hive back? A new threat actor denies the connection

There is a good chance that one of the world’s most dangerous ransomware operators out there - Hive - has just gotten a rebrand.

Earlier this month, security researchers spotted a new player in the ransomware game, called Hunters International. The group doesn’t focus on encrypting their victims’ endpoints as much as it focuses on data theft and so far, it only managed to compromise one victim- a UK school.

However, the group’s encryptor is strikingly similar to that of Hive. More than 60% of the code overlaps with that of Hive ransomware, researchers said, with some going so far as to pinpoint the exact version of Hive that was rebranded - version 6.

Dismantled by the FBI

Hunters International, though, is having none of it. The group claims to have bought not just the encryptor source code, but also the website and old Golang and C version. The group also claims Hive’s encryptor came with a few bugs that it fixed.

If both groups were active at the same time, then it would clear any confusion as to whether they were the same or different operators. As things stand now, that most likely won’t happen, as Hive’s operations were terminated after its Tor payment and data leak site were confiscated by law enforcement early this year. 

Hive had 250 affiliates, BleepingComputer further stated, allowing the FBI to infiltrate the network and keep a low profile for half a year, gathering intelligence and mapping the group out. Before the seizure, Hive breached more than 1,300 companies and extorted more than $100 million from its victims. 

FBI’s work resulted in a decryption key that was handed out to more than 1,300 victims. 

In order to avoid being targeted by the police, most ransomware groups these days refrain from attacking critical infrastructure organizations, state organizations, or healthcare institutions.

Via BleepingComputer

Source