Introduction
Hunters International is a ransomware-as-a-service (RaaS) operation first identified in October 2023. The ransomware associated with this operation is developed in Rust and has significant code similarities with the now disbanded Hive ransomware[1] operation.
Like many RaaS operations, the Hunters International ransomware operation maintains a dedicated website where they host their victim list alongside disclosed data. This website has a Tor version and a regular internet website version. The website home page shows a list of companies who are victims of the Hunters International ransomware. The website also shares exfiltrated data of the victims who did not meet the criminal groups ransom demands. As of the time of writing this article the site claims the group have successfully compromised at least 175 victims. A screenshot of the Hunters International website can be observed in Figure 1 below.
Figure 1. Hunters International Tor website home page.
FortiGuard IR team had observed a case where public facing application was exploited for initial access. Then attacker dumped credentials and proceeded ahead with later movement using SMB and RDP. Scheduled task was used for Ransomware execution. It is observed that there are different techniques used by Hunters International group[2] including:
- Malicious software mimicking legitimate tools like AngryIP
- Spear-phishing emails that trick users into opening malicious attachments
- Exploiting weak password or vulnerabilities in public facing software.
- Supply chain attacks
- Social engineering
Since this actor group is using different patterns of initial access and lateral movements, we have decided to not to use Attack flow diagram for this article. This article will only focus on the ransomware execution behavior.
Analysis
To demonstrate FortiEDR’s ability to detect and mitigate activity associated with the deployment of Hunters International ransomware we detonated a Hunters International sample and analyzed its behavior. It should be noted that FortiEDR was set to ‘Log Only’ mode to observe the complete malware behavior. In prevention mode behavior associated with these security events would be prevented by FortiEDR.
When the ransomware sample is executed, it is detected as malicious, and triggers rule ‘Malicious File Detected’ from the ‘Execution Prevention’ security policy. This rule indicates the executable file matches signatures from FortiGuard Threat Intelligence databases and would have prevented further execution if FortiEDR was in prevention mode. The security event associated with this detection can be observed in Figure 2 below.
Figure 2. FortiEDR detected Hunters International ransomware sample as malicious and blocked its execution
Upon execution the ransomware executable spawns several child processes to prevent backup and recovery of the data (T1490 – Inhibit System Recovery[3]). The command line arguments associated with these commands are listed below:
|
Command |
Description |
|
vssadmin.exe delete shadows /all /quiet |
Deletes all Volume Shadow Copies (VSS) on the system without any prompts or user interaction. It is often used by ransomware to remove system restore points, preventing victims from recovering their data. |
|
wmic.exe shadowcopy delete |
Deletes shadow copies using the Windows Management Instrumentation Command-line (WMIC), another method used to remove backup copies that could help restore data. |
|
wbadmin.exe delete systemstatebackup |
Deletes the system state backup on the computer. System state backups contain critical operating system files, and this command helps remove recovery options. |
|
wbadmin.exe delete catalog -quiet |
Deletes the backup catalog silently, without user prompts. The backup catalog contains information about previous backups, and its deletion makes recovering those backups impossible. |
|
bcdedit.exe /set {default} recoveryenabled No |
Disables the automatic Windows recovery mode. This prevents the system from starting the recovery environment after system failures, making it harder to recover from issues. |
|
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures |
Instructs Windows to ignore boot failures and not show error messages during startup. It ensures the system attempts to boot without entering recovery mode. |
|
wbadmin.exe delete systemstatebackup -keepVersion:3 |
Deletes all but the last three system state backups, helping manage storage by keeping only the most recent backups while removing older versions. |
It should be noted that these are the same commands executed in the same order as those associated with Hive ransomware. We can observe process creation events associated with this behavior and associated process metadata using FortiEDR Threat Hunting data. A snapshot of generated threat hunting data can be seen in Figure 3 below.
Figure 3. FortiEDR Threat Hunting process creation events related to execution of numerous LOLbins by Hunters International ransomware to inhibit system recovery efforts.
Since the ransomware process was marked as malicious, the execution of WMIC.exe command identified above was flagged as malicious behavior by FortiEDR and would have been blocked in prevention mode. The security event associated with this behavior can be observed in Figure 4 below.
Figure 4. FortiEDR blocked execution of WMIC.exe child process created by the Hunters International ransomware executable that attempted to delete volume shadow copies.
The bcdedit.exe command mentioned above instructs Windows to ignore boot failures and not show error messages during startup. It ensures the system attempts to boot without entering recovery mode. The execution of this ‘bcdedit.exe’ command also triggered the ‘File Encryptor’ and ‘Malicious File Detected’ rules from the ‘Ransomware Prevention’ FortiEDR security policy. The security event associated with this behavior can be observed in Figure 5 below.
Figure 5. FortiEDR blocked execution of bcdedit.exe child process created by the Hunters International ransomware executable that attempted to modify boot options.
The use of WMIC.exe utility to delete shadow copy triggers rules ‘File Encryptor’, ‘Malicious File Detected’ and ‘Suspicious Application’ from the FortiEDR security policy ‘Ransomware Prevention’. FortiEDR detects this access to the shadow copy service as suspicious and would block this attempt in prevention mode. The security event associated with this behavior can be observed in Figure 6 below.
Figure 6. FortiEDR security event associated with the attempt by the Hunters International ransomware executable to delete existing volume shadow copies.
After shadow copy deletion , the ransomware starts encryption of the files. Some file names, directories and file extensions are skipped from the encryption routine[4]. These are described below.
File names that are excluded from encryption: Contact US.txt, autorun.inf, bootfont.bin, boot.ini, bootsect.bak, desktop.ini, iconcache.db, ntldr, NTUSER.DAT, NTUSER.DAT.LOG, Ntuser.ini, thumbs.db
Directory names that will be excluded from encryption: Windows, Program Files, Program Files (x86), Program Data, $Recycle.Bin, All Users, Default, Google, System Volume Information, Boot, Intel, Internet Explorer, PerfLogs
Files extensions that will be excluded from encryption: 386, adv, ani, bat, bin, cab, cmd, com, cpl, cur, deskthemepack, diagcab, diagcfg, diagpkg, dll, drv, exe, hlp, hta, icl, icns, ico, ics, idx, key, ldf, lnk, lock, mod, mpa, msc, msi, msp, msstyles, msu, nls, nomedia, ocx, pdb, prf, ps1, rom, rtp, scr, shs, spl, sys, theme, themepack, tmp, wpx
The Hunters International ransomware uses AES encryption algorithm to encrypt the victim files. After encryption the files are renamed and added with ‘.LOCKED’ extension at the end of their names.
We can observe the file rename operations in the investigation view of the FortiEDR in <> below. The total file rename number, some sample records of file rename are highlighted in red rectangles.
Figure 7. FortiEDR investigation view showing file rename done by locker.exe while encrypting files.
After encryption of all files the ransomware tries to erase free space on the local drives by creating file ‘buffer.swp’ on each encrypted drive and continuously writing random data until there is no free space on the disk. This is a new technique compared to previous ransomware families we have observed. This type of technique is typically implemented to prevent files from being retrieved from slack space. Given this ransomware uses the file overwrite method, this seems unnecessary as the overwrite method would overwrite the files directly, limiting the amount of unencrypted data in slack space. FortiEDR threat hunting data related to the creation, writing and deletion of this large buffer file can be seen in Figure 7 below.
Figure 8. FortiEDR Threat Hunting file events associated with the 'buffer.swp' file.
After file encryption process is completed, the ransomware creates ransom notes in a text file with name ‘Contact Us.txt’ in the directory ‘C:\’ as well as in all the folders from where files were encrypted. The creation of ransom notes files triggers the ‘Malicious File Detected’ rule from the ‘Exfiltration Prevention’ security policy. This also triggers the ‘File Encryptor’ and ‘Malicious File Detected’ rules from the ‘Ransomware Prevention’ security policy. FortiEDR security events associated with this activity can be observed in Figure 8 below.
Figure 9. FortiEDR detects the creation of Ransom note files by Hunters International ransomware.
Then the ransomware launches notepad.exe with file path ‘C:\Contact Us.txt’ as a parameter to display this ransom note. The contents of the ransom note can be seen in Figure 9 below.
Figure 10. Hunters International ransomware ransom note.
Conclusion
As highlighted by this article, FortiEDR detects and mitigates risk associated with the execution of Hunters International ransomware. FortiEDR blocks the following behavior associated with the ransomware execution:
- Initial file execution
- Execution of WMIC.exe commands to remove volume shadow copies
- Deletion of system state backup using wbadmin.exe
- Execution of bcdedit.exe commands for disabling system recovery
- Creation of ransom note files
In addition to the above detected behaviors Hunters International ransomware creates a file with static file name to erase free disk space which creates a good detection opportunity for behavior-based tools like FortiEDR. Some useful threat hunting queries and MITRE ATT&CK mappings are provided below to support proactive threat hunting efforts.
Threat Hunting
The following threat hunting query will detect Process Creation events where ‘vssadmin.exe’ is executed for deletion of shadow copies. This command execution is not unique for Hunters International ransomware; other malware families may also use this command. False positives may occur where this utility is used for legitimate administrative purposes.
Type: ("Process Creation") AND Target.Process.File.Name: ("vssadmin.exe") AND Target.Process.CommandLine: ("delete shadows \/all \/quiet")
The following threat hunting query will detect Process Creation events where ‘WMIC.exe’ is executed with command line arguments indicative of deletion of shadow copies. This command is not unique for Hunters International ransomware; other malware families may also use this command. False positives may occur where this utility is used for legitimate administrative purposes.
Type: ("Process Creation") AND Target.Process.File.Name: ("WMIC.exe") AND Target.Process.CommandLine: ("shadowcopy delete")
The following threat hunting query will detect Process Creation events where ‘wbadmin.exe’ is executed with command line arguments indicative of deletion of system backup. This command is not unique for Hunters International ransomware; other malware families may also use this command. False positives may occur where this utility is used for legitimate administrative purposes.
Type: ("Process Creation") AND Target.Process.File.Name: ("wbadmin.exe") AND Target.Process.CommandLine: ("delete systemstatebackup")
The following threat hunting query will detect Process Creation events where ‘wbadmin.exe’ is executed with command line arguments indicative of quiet removal of backup catalog. This command is not unique for Hunters International ransomware; other malware families may also use this command. False positives may occur where this utility is used for legitimate administrative purposes.
Type: ("Process Creation") AND Target.Process.File.Name: ("wbadmin.exe") AND Target.Process.CommandLine: ("delete catalog\-quiet")
The following threat hunting query will detect Process Creation events where ‘wbadmin.exe’ is executed with command line arguments indicative of deletion of system state backup. This command is not unique for Hunters International ransomware; other malware families may also use this command. False positives may occur where this utility is used for legitimate administrative purposes.
Type: ("Process Creation") AND Target.Process.File.Name: ("wbadmin.exe") AND Target.Process.CommandLine: ("delete systemstatebackup \-keepVersions\:3")
The following threat hunting query will detect Process Creation events where ‘bcdedit.exe’ is executed with command line arguments indicative of attempts to disable recovery. This command is not unique for Hunters International ransomware; other malware families may also use this command. False positives may occur where this utility is used for legitimate administrative purposes.
Type: ("Process Creation") AND Target.Process.File.Name: ("bcdedit.exe") AND Target.Process.CommandLine: ("\/set \{default\} recoveryenabled No")
The following threat hunting query will detect Process Creation events where ‘bcdedit.exe’ is executed with command line arguments indicative of setting ‘bootstatuspolicy’ to ignore failures. This command is not unique for Hunters International ransomware; other malware families may also use this command. False positives may occur where this utility is used for legitimate administrative purposes.
Type: ("Process Creation") AND Target.Process.File.Name: ("bcdedit.exe") AND Target.Process.CommandLine: ("\/set \{default\} bootstatuspolicy ignoreallfailures")
The following threat hunting query will detect Process Creation events where ‘notepad.exe’ is executed to open ransom note by the ransomware. False positives may occur where the same file name and file path are used for legitimate purposes.
Type: ("Process Creation") AND Target.Process.File.Name: ("notepad.exe") AND Target.Process.CommandLine: ("\\\\\?\\C\:\\Contact Us.txt")
The following threat hunting query will detect File Write events where a particular file 'buffer.swp' is written by the malware. Hunters International ransomware creates this specific file to erase the free space on the disk once it has completed file encryption process.
Type: ("File Write") AND Target.File.Name: ("buffer.swp")
MITRE ATT&CK
Note: The indicators in observed activity for each MITRE technique are relevant to analyzed campaigns and may change in future campaigns.
TA0005 - Defense Evasion
|
Technique ID |
Technique Description |
Observed Activity |
|
T1006 |
Direct Volume Access |
Ransomware uses the vssadmin utility to delete volume shadow copies. |
TA0002 - Execution
|
Technique ID |
Technique Description |
Observed Activity |
|
T1047 |
Windows Management Instrumentation |
Ransomware uses the WMIC.exe utility to delete volume shadow copies. |
TA0040 - Impact
|
Technique ID |
Technique Description |
Observed Activity |
|
T1490 |
Inhibit System Recovery |
Ransomware uses multiple windows utilities to delete volume shadow copies and remove backup catalog. |
|
T1486 |
Data Encrypted for Impact |
Ransomware encrypts user files and renames them with extension ‘.LOCKED’ and also create ransom note in all the folder in which it has encrypted user files. |
IOC
|
Indicator Description |
Indicator |
Indicator Type |
Associated Tactic |
Notes |
First Observed |
|
Malicious Executable |
d33242c9662bf0e3b29958034d393893ffe90cf0 |
SHA1 Hash |
Installation |
Ransomware executable |
2024-04-02 |
|
Malicious Executable |
24de8de24001bc358c58aa946a28c545aaf9657b66bd5383c2d5a341c5d3c355 |
SHA256 Hash |
Installation |
Ransomware executable |
2024-04-02 |
|
Malicious Executable |
adfa80b6506228dda313dab7daf57b2eb2cfd783 |
SHA1 Hash |
Installation |
Ransomware executable |
2024-08-04 |
|
Malicious Executable |
861d1f84a99049948c9f936b6ee8c9a126b8ce03526412aaac8a70647fa24f77 |
SHA256 Hash |
Installation |
Ransomware executable |
2024-08-04 |
|
Malicious URL |
hxxps[:]//huntersinternational[.]net/ |
URL |
Installation |
Website of Ransomware |
2024-04-23 |
[1] https://www.acronis.com/en-us/cyber-protection-center/posts/hunters-international-new-ransomware-bas...
[2] https://www.digidations.com/2024/09/19/240919/
[3] https://attack.mitre.org/techniques/T1490
[4] https://www.acronis.com/en-us/cyber-protection-center/posts/hunters-international-new-ransomware-bas...
