Hunters International is a ransomware group that emerged in October 2023, operating under a Ransomware-as-a-Service (RaaS) model. The group has been responsible for over 200 attacks worldwide, targeting various industries and exfiltrating sensitive data before encrypting systems. Hunters International uses a Rust-based ransomware that shares similarities with the Hive ransomware but incorporates improvements in command-line options, key management, and encryption techniques.
In this blog, we will analyze the tactics, techniques, and procedures (TTPs) of Hunters International Ransomware, providing insights into their methods of attack and defense strategies.
As stressed earlier, Hunters International is a ransomware-as-a-service (RaaS) group that emerged in late 2023 following the disruption of the Hive ransomware group by international law enforcement. The group has rapidly expanded its operations, targeting a diverse range of industries across multiple countries.
Notable Cyber Incidents:
Industrial and Commercial Bank of China (ICBC) London Branch (September 2024): Hunters International claimed to have stolen over 5.2 million files, totaling 6.6 TB of data, from the London branch of ICBC [1]. They threatened to publish the data unless their ransom demands were met.
Anderson Oil & Gas (August 2024): This family-owned business in Fredericksburg, Virginia, suffered a ransomware attack by Hunters International, leading to significant data breaches and potential financial and reputational damage [2].
Barber Specialties (January 2025): A specialized commercial construction company based in Seagoville, Texas, was targeted by Hunters International [3], highlighting vulnerabilities within the construction sector.
Victimology:
Hunters International employs an opportunistic approach, targeting a wide array of industries globally. Their victims span sectors such as healthcare, automotive, manufacturing, logistics, finance, education, and food. Notably, the group has attacked organizations in countries including the United States, United Kingdom, Germany, Japan, and Brazil. However, they have not been linked to any attacks on Russian entities.
The group's tactics involve data exfiltration followed by threats to publish the stolen information if ransom demands are not met. This strategy places immense pressure on victim organizations to comply, given the potential for significant data breaches and associated reputational harm.
This section provides a comprehensive analysis of these TTPs, offering insights into how Hunters International Ransomware operates and the tools they employ [4].
The Hunters International ransomware group employs various methods to gain initial access to a target network, including:
The attack begins with the exploitation of an Oracle WebLogic Server vulnerability, specifically CVE-2020-14644, which allows attackers to connect to the debug port (TCP 8453). This debug port is typically used by developers for remote debugging, but in this case, it is left exposed and unsecured, allowing remote code execution.
Once connected to the debug port, the attacker executes commands through the Java process (java.exe). The first executed command is cmd.exe /c whoami, which checks the privileges of the compromised system. The parent process of this execution is java.exe, located in the Java Development Kit (JDK) directory. This suggests that the attackers are leveraging Java debugging capabilities to execute system commands.
Commands executed:
|
cmd.exe /c whoami |
Parent Process:
|
c:\\\\\\\\program |
The specific command line used for launching the Java process includes -xdebug -xnoagent -xrunjdwp:transport=dt_socket,address=8453,server=y,suspend=n. These flags indicate that the Java Debug Wire Protocol (JDWP) is enabled, allowing remote debugging without authentication, effectively granting attackers arbitrary code execution capabilities:
|
c:\\\\\\\\progra~1\\\\\\\\java\\\\\\\\jdk18~1.0_2\\\\\\\\bin\\\\\\\\java -server -xdebug -xnoagent - |
Following initial access, the attackers execute additional commands:
|
cmd /c "cd /d |
This command sequence appears to be a reconnaissance attempt. It changes the directory to an Oracle Middleware installation path, likely to verify the presence of the WebLogic installation. Then, it changes the directory to C:\Intel\, which may indicate the presence of tools or malware components stored there. The echo [S]&cd&echo [E] part is likely used for checking whether command execution is successful by printing markers ([S] and [E]) in the output.
Additionally, the attackers install a web shell known as China Chopper, a lightweight and widely used backdoor that allows persistent access to the compromised server. China Chopper enables attackers to issue commands, upload/download files, and pivot further into the network.
The overall attack pattern suggests an advanced persistent threat (APT)-style intrusion, where the attackers exploit a known vulnerability in WebLogic, leverage the exposed debug port to execute commands as java.exe, conduct reconnaissance, and establish persistence via a web shell. This method allows them to maintain long-term access to the compromised system while evading detection.
Attackers deployed renamed AutoIt malware, which was used for network scanning and lateral movement.
This malware was configured to execute scripts that assisted in domain controller compromise using Zerologon (CVE-2020-1472) and SECRETSDUMP DCSYNC.
There are 10 Common Vulnerabilities and Exposures (CVEs) associated with WebLogic that were actively exploited by the Hunters International group, with CVE-2020-14644 being the one in their latest attacks.
After gaining initial access, the attackers conduct reconnaissance and lateral movement using built-in Windows utilities and remote access tools to expand their control over the compromised network.
For network enumeration, they execute ipconfig /all to collect network interface details, including IP addresses, DNS settings, and MAC addresses. They also use nltest /domain_trusts to identify relationships between different domains, which helps them understand the structure of the network and potential pathways for lateral movement.
|
ipconfig /all # Gather network details |
To gather information about user accounts and credentials, they execute:
|
cmd /c "cd /d "c:\\\\\\\\Intel"&dsquery * -limit 0 -filter" &(objectClass=User)(objectCategory=Person)" -attr objectSID sAMAccountName |
This command queries Active Directory for all user objects, extracting attributes such as security identifiers (SIDs), usernames, display names, last login times, password last set times, and group memberships. The results are saved into da.txt, allowing attackers to analyze user activity and identify high-value targets.
For credential dumping and privilege escalation, they extract hashed passwords from the SAM (Security Account Manager) and SYSTEM registry hives using:
|
cmd.exe /c "cd /d "c:\\intel"® save hklm\\sam sam.txt" 2>&1 |
This saves a copy of the SAM registry hive, which stores password hashes that can be cracked offline.
They also leverage Active Directory attacks such as DCSync and DFSCoerce, using:
|
ntdsutil "ac i ntds" "ifm" "create full c:\root" q q |
This extracts a copy of the NTDS.DIT database, which contains all domain credentials. With these credentials, the attackers can impersonate users and gain higher privileges.
To maintain persistence, they manipulate user accounts by adding new ones to the Administrator or Remote Desktop groups using:
|
cmd.exe /c net user \\ |
These commands show direct manual input, suggesting that human operators are actively executing commands rather than relying solely on automated scripts.
The attackers also extend their reconnaissance to Linux systems. Using:
|
sh -c (/bin/cat /etc/passwd | /bin/egrep -v '^[[:space:]]*[+#-]' | cut -d: -f1,3,4 | /bin/sed 's/ //g') |
They enumerate Linux user accounts, filtering out unnecessary entries to identify privileged users. They also check for users in the wheel and adm groups, which typically have administrative privileges, indicating an attempt to escalate access on Linux hosts.
To establish long-term access and facilitate further movement within the network, the attackers deploy various remote access tools, including AnyDesk, Plink, TeamViewer, RDP, and Impacket.
These tools allow them to control compromised machines, exfiltrate data, and move deeper into the network while avoiding detection.
After achieving administrative control over the compromised network, the attackers shifted their focus to data collection, exfiltration, and eventual ransomware deployment.
For database extraction, they leveraged Microsoft's SQL Server xp_cmdshell, which allows execution of system commands directly from within SQL queries. By enabling this feature, they executed:
|
xp_cmdshell 'mysqldump -u root -p database_name > dump.sql' |
This command instructs the MySQL database to export its entire contents into a file (dump.sql). By using root credentials, the attackers ensured they had full access to all tables and data, making it easier to steal sensitive information.
Once the database was extracted, they proceeded with exfiltration.
The stolen data was uploaded to MEGA, a popular cloud-based file storage service. The use of MEGA suggests a deliberate and structured approach to data theft, as it provides encrypted storage and is accessible via APIs or manual uploads, making tracking more difficult.
The final phase of the attack involved ransomware deployment.
A mysterious file named delete.me was distributed across the network using SMB (Server Message Block), a file-sharing protocol commonly used within Windows environments. The exact purpose of delete.me is unknown, but it could serve as a marker for compromised systems or be part of an automation script for ransomware execution.
To execute the ransomware, the attackers used WinRAR to extract a zip archive containing the ransomware payload:
|
c:\program files\winrar\winrar.exe x -iext -ver -imon1 -- "c:\users\xxx\desktop\xxx\encrypter_windows_x64.zip" |
This extraction process was followed by the execution of:
|
downloads\\encripter\\encrypter_windows_x64.exe -c localhost |
The ransomware binary, encrypter_windows_x64.exe, was launched with a configuration pointing to localhost, suggesting that the encryption process was executed locally rather than relying on external command-and-control instructions.
To ensure the attack was irreversible, the ransomware systematically disabled all possible data recovery mechanisms. The following commands were executed:
|
vssadmin.exe delete shadows /all /quiet |
By erasing backups and disabling system recovery options, the attackers maximized the damage inflicted, forcing victims to either pay the ransom or suffer permanent data loss. This final phase highlights a well-coordinated operation aimed at both financial extortion and data theft.
The ransomware checks for valid command-line arguments.
If no arguments are found, it terminates immediately.
Requires -c followed by valid credentials (-c username:password).
Credentials are embedded in ransom notes for victim interaction.
Accepts an optional folder path argument to limit encryption.
Includes a Graphical User Interface (GUI) for attacker convenience.
Uses CreateToolhelp32Snapshot to enumerate and terminate critical processes.
Targets antivirus, database services, and virtual machines.
Enumerates active services with OpenSCManagerW & EnumServicesStatusW.
Stops dependent services using EnumDependentServicesA.
Uses AES encryption for files.
AES keys are secured with RSA encryption.
Ensures decryption requires interaction with attackers.
Identifies network drives via GetLogicalDriveStringsW.
Uses FindFirstFileW & FindNextFileW to enumerate files.
Appends .LOCKED extension to encrypted files.
Drops ransom notes named read me now!.txt.
We strongly suggest simulating ransomware groups to test the effectiveness of your security controls against their attacks using the Picus Security Validation Platform.
Picus Threat Library includes the following threats for Hunters International Ransomware.
|
Threat ID |
Threat Name |
Attack Module |
|
71450 |
Hunters International Ransomware Download Threat |
Network Infiltration |
|
96755 |
Hunters International Ransomware Email Threat |
E-mail Infiltration |
|
51889 |
Hunters Ransomware Download Threat |
Network Infiltration |
|
36647 |
Hunters Ransomware Email Threat |
E-mail Infiltration |
Regularly updating Oracle WebLogic, SQL servers, and RDP configurations is crucial to preventing exploitation. Applying patches for known vulnerabilities, such as CVE-2020-14644, helps close security gaps before attackers can exploit them.
The patching advisory can be accessed via this link.
Deploying EDR solutions enables real-time monitoring of unusual command execution and network activity. Detecting anomalies early, such as unauthorized use of cmd.exe or suspicious RDP connections, can prevent lateral movement and ransomware deployment.
Training employees to recognize phishing attempts and social engineering tactics reduces the risk of credential theft and initial access. Implementing multi-factor authentication (MFA) further strengthens defenses against compromised credentials.
Restricting lateral movement by enforcing least privilege access and segmenting networks can limit an attack’s impact. Disabling unnecessary administrative privileges and monitoring high-risk accounts improve security posture.
Maintaining offline backups and regularly testing recovery processes ensures resilience against ransomware attacks. Secure, immutable backups prevent data loss and provide a recovery path without paying a ransom.
The Hunters International ransomware group has rapidly established itself as a formidable threat, leveraging advanced attack techniques to infiltrate and disrupt organizations across multiple industries. By employing a Ransomware-as-a-Service (RaaS) model, the group maximizes its reach, allowing affiliates to exploit known vulnerabilities, conduct lateral movement, exfiltrate critical data, and ultimately deploy ransomware to cripple victim networks.
Their tactics showcase a high level of sophistication, from exploiting Oracle WebLogic vulnerabilities for initial access to leveraging built-in Windows utilities and Active Directory attacks for privilege escalation. The group’s strategic use of data exfiltration, particularly via MEGA cloud storage, ensures that victims face not only operational disruption but also the risk of public data exposure. The final execution of Rust-based ransomware, coupled with the disabling of backup and recovery mechanisms, leaves victims with little recourse except to either pay the ransom or suffer irreversible data loss.
The evolution of Hunters International, particularly its ties to the dismantled Hive ransomware group, underscores the persistent nature of cyber threats and the ability of ransomware actors to regroup and refine their methodologies. The attacks on high-profile financial institutions, oil and gas firms, and construction companies demonstrate the indiscriminate and opportunistic nature of the group’s victim selection.
Mitigating the risk posed by such ransomware operations requires a multi-layered defense strategy. Organizations must prioritize timely patch management to address exploited vulnerabilities such as CVE-2020-14644, implement robust endpoint detection and response (EDR) systems to monitor for anomalous activity, and enforce network segmentation to limit lateral movement. Additionally, employee awareness training on phishing and social engineering remains a critical component of defense.
As ransomware threats continue to evolve, proactive cybersecurity measures and a strong incident response framework are essential for reducing the impact of attacks. By staying vigilant and adapting to emerging threat landscapes, organizations can better defend against the growing menace of groups like Hunters International.
[1] J. Lyons, “Hunters International cyber-gang extorts Chinese mega-bank’s London HQ,” The Register, Sep. 11, 2024. Available: https://www.theregister.com/2024/09/11/hunters_ransom_icbc_london/. [Accessed: Feb. 05, 2025]
[2] “Anderson Oil & Gas Hit by Hunters International Ransomware Attack,” Nov. 05, 2024. Available: https://www.halcyon.ai/attacks/anderson-oil-gas-hit-by-hunters-international-ransomware-attack. [Accessed: Feb. 05, 2025]
[3] “Barber Specialties Ransomware Attack by Hunters International,” Jan. 28, 2025. Available: https://www.halcyon.ai/attacks/barber-specialties-ransomware-attack-by-hunters-international. [Accessed: Feb. 05, 2025]
[4] “The Anatomy of an Attack: Hunters International Ransomware.” Available: https://www.forescout.com/resources/anatomy-of-an-attack-hunters-international-ransomware/. [Accessed: Feb. 05, 2025]