In mid-October 2023, just a few days before the Europol operation, the source code of the Ransomware Hive was sold, along with its website and older versions developed in Golang and C (although this purchase has only been reported by the actors without concrete evidence). The buyer of this new source code was the group Hunters International, who claimed to have fixed the bugs in the Ransomware Hive that were responsible for preventing file decryption in some cases. The group also stated that file encryption would not be their primary focus; instead, they would use data theft as a method to pressure victims during extortion attempts.
Genera un perfil del actor con IA (defensivo) cuando lo pidas.
Tácticas y técnicas observadas del actor, mapeadas a MITRE ATT&CK (clic para ver la ficha oficial). Útil para priorizar detecciones.
Firma de detección defensiva para este grupo (úsala en tu EDR/SIEM). Fuente: ransomware.live.
/*
Hunters International ransomware (successor to Hive)
*/
rule HuntersInternational_Ransomnote
{
meta:
author = "ransomware.live"
family = "ransomware.hunters"
description = "Detects Hunters International ransom note"
date = "2026-05-04"
severity = 7
score = 70
strings:
$s1 = "Hunters International" ascii nocase
$s2 = "Contact.txt" ascii nocase
$s3 = ".hunters" ascii
$s4 = "hunters55i2i" ascii nocase
condition:
any of them
}
rule HuntersInternational_PE
{
meta:
author = "ransomware.live"
family = "ransomware.hunters"
description = "Detects Hunters International ransomware executable"
date = "2026-05-04"
severity = 9
score = 90
strings:
$s1 = "Hunters International" ascii wide
$s2 = ".hunters" ascii
$s3 = "hunters55i2i" ascii
condition:
uint16(0) == 0x5A4D and 2 of them
}
_ _ _ _ _ _ _____ _____ ____ ____ | | | | | | | \ | |_ _| ____| _ \/ ___| | |_| | | | | \| | | | | _| | |_) \___ \ | _ | |_| | |\ | | | | |___| _ < ___) | |_|_|_|\___/|_|_\_|_|_|_|_____|_|_\_\____/____ ___ ___ _ _ _ _ |_ _| \ | |_ _| ____| _ \| \ | | / \|_ _|_ _/ _ \| \ | | / \ | | | || \| | | | | _| | |_) | \| | / _ \ | | | | | | | \| | / _ \ | | | || |\ | | | | |___| _ <| |\ |/ ___ \| | | | |_| | |\ |/ ___ \| |___ |___|_| \_| |_| |_____|_| \_\_| \_/_/ \_\_| |___\___/|_| \_/_/ \_\_____| To contact us follow the instructions: 1) Install and run “Tor Browser” from [redactado] 2) Go to [redactado] 3) Log in using the credentials: [snip] --- Don't waste time. Inform your CEO about the incident ASAP. Show Data Leak Site: [redactado]
Exfiltraded data : yes - Encrypted data : yes
Exfiltraded data : yes - Encrypted data : yes
| Organización | País | Sector | Grupo | Descubierta |
|---|---|---|---|---|
| Corantioquia | CO | Public Sector | — | 27 may 2025 |
| Kenworth Del Sur | MX | Transportation/Logistics | — | 25 abr 2025 |
| Megacentro | CL | Consumer Services | — | 20 mar 2025 |
| Edesur Dominicana | DO | Energy | — | 11 mar 2025 |
| Vermeer Mexico | MX | Manufacturing | — | 25 feb 2025 |
| R Pac Central America S.A. de C.V. | SV | Manufacturing | — | 27 nov 2024 |
| Aeris Energy | BR | Energy | — | 23 nov 2024 |
| Banco Sucredito Regional S.A.U. | AR | Financial Services | — | 11 nov 2024 |
| Quálitas México | MX | Financial Services | — | 1 sept 2024 |
| Santa Rosa | AR | Public Sector | — | 18 jul 2024 |
| Toyota Brazil | BR | Manufacturing | — | 13 abr 2024 |
| Cosmocolor | MX | Business Services | — | 14 mar 2024 |
| Tiete Automobile | BR | Transportation/Logistics | — | 17 feb 2024 |
| Alupar Investimento SA | BR | Energy | — | 19 ene 2024 |
| IDESA group, S.A. De C.V. | MX | Energy | — | 13 nov 2023 |
Las direcciones de los sitios de filtración (.onion) se conocen pero no se publican ni se enlazan. Solo se muestran metadatos públicos. ética
Exfiltraded data : yes - Encrypted data : no
Exfiltraded data : yes - Encrypted data : no
Exfiltraded data : yes - Encrypted data : yes
Country : N/A - Exfiltraded data : yes - Encrypted data : yes