Hunters International Ransomware Operators Threaten to Publish US Marshals Data

Published on
August 29, 2024

The Hunters International ransomware group is threatening to leak 386 GB of data from the U.S. Marshals Service (USMS), claiming it includes “Top Secret” documents, gang files, and information from the 2022 drug enforcement operation “Operation Turnbuckle,” SC Media reports.

The group, which emerged in October 2023, has given the USMS until August 30 to pay a ransom. However, a USMS spokesperson informed SC Media that the data does not appear to be from a new incident.

The USMS previously suffered a significant ransomware attack in February 2023, affecting systems containing legal process data, administrative information, and personal data of USMS employees and others.  

Despite this, the Witness Security Program was reportedly unaffected, and no group had claimed responsibility for that attack until now. The USMS continues to assess the situation, with no confirmation of a new breach at this time.

A posting in March 2023 on a Russian cybercrime forum advertised the sale of USMS data, but it did not include samples or mention ransomware.

The authenticity of the data and how Hunters International obtained it remain unclear. However, it’s noted that ransomware victims are often targeted multiple times, as highlighted by a similar incident involving the healthcare industry.  

Hunters International has been linked to the Hive ransomware operation, which was dismantled in early 2023. The group claims to have purchased Hive’s source code and infrastructure.  

Takeaway: According to the Power Rankings: Ransomware Malicious Quartile report, Hunters International is a Ransomware-as-a-Service (RaaS) group that has emerged from the remnants of the Hive ransomware operation.  

The group leverages Hive's infrastructure and capabilities, including advanced data exfiltration and double extortion techniques, to carry out its attacks.  

Hunters International has streamlined its approach by embedding the decryption key within the encrypted file itself, moving away from the previous method of storing the key separately. This adjustment reflects a shift towards more straightforward, yet effective, encryption practices.

Initially targeting a wide array of industries, Hunters International is now focusing on sectors with a higher likelihood of paying ransoms, such as healthcare, financial services, and critical infrastructure, due to the urgency and sensitivity of their data.  

The group has refined its attack strategies by enhancing encryption methods to resist common decryption techniques and improving data exfiltration processes.

The ransomware used by Hunters International is written in Rust, a secure programming language known for its ability to evade security tools. The group has developed variants that can target both Windows and Linux systems.

Despite being a newer player in the ransomware landscape, Hunters International has rapidly increased its attack frequency, demonstrating significant operational capability across various industries and regions.  

The group employs double extortion tactics, encrypting data and threatening to leak it unless the ransom is paid, with ransom demands tailored to the victim's perceived ability to pay.

Operating under a profit-sharing model, Hunters International incentivizes affiliates by offering them a share of the ransom proceeds, encouraging widespread distribution of their ransomware.  

Their targets have included high-profile sectors and companies, such as Toyota Brazil, NanoLumens, Integrated Control, Frederick Wildman and Sons, Kablutronik SRL, Caxton, and CTP Publishers and Printers.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.

See Halcyon in action

Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!

1
2
3
Let's get started
1
1
2
3
1
1
2
2
3
Back
Next
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.