NOTE: This article focuses on uncovering the identity of Hunters International Ransomware Group’s (Surface Web) Data Leak Site. It could be — an affiliate of Hunters International or anyone who is (in)directly connected to Hunters International Ransomware Group.
Hunters International is a Ransomware Group (RaaS) that came to the limelight in October 2023. It has been observed that the group is a spin-off of HIVE Ransomware which was breached by the FBI in January 2023.
However, on their official Onion Site, they have made the following official statement:-
From the above screenshot, we can estimate the group’s moderators/threat actors made the 1st official announcement on their Data Leak Site (DLS) on 24th October 2023.
NOTE: As the HIVE group has not yet been officially busted by the FBI, we cannot jump to a conclusion as to whether this is the same group or not.
INTRODUCTION
Hunters International is a Ransomware that targets Windows and Linux environments which adds .LOCKED extension to the encrypted files on the victim machine once the data exfiltration gets completed by the Ransomware group. As of now, they have listed about 38 victims globally spanning industries such as Health, Automotive, Manufacturing, Logistics, Financial, Educational, Food etc.
DATA LEAK SITE
Hunters International is a Ransomware Group that is notable for its organized Data Leak Site, by arranging victims country-wise.
By tracing their Victim Listing Timeline, it is found that the first victim was listed on their website on 20th October 2023. This indicates the fact that their Data Leak Site was functional from 20th October or prior, but garnered views from 28th October 2023, following the news of Hive Ransomware Code Similarity by various Infosec resources.
NOTE: There could be a possibility of accessing this website by team members internally before getting it out to the public via channels and forums.
Hunters International launched a clear website of their Onion Data Leak Site (with the same name) on 22nd January 2024.
Huntersinternational.org
The new domain was a legitimate domain (news blog posts) that was active from 2017 to 2021 but became a Non-Active/Parked Domain since then.
Threat Actors made use of this domain in 2024 January to launch the DarkWeb Leak Site, to gain much more visibility.
The hidden agenda behind this technique is to garner/generate more views (As Hunters International was a genuine domain back in 2017).
While inspecting the source page of this site, following quotes are found:-
'Keep calm and go hunting.',
'Everybody wants to eat but few are willing to hunt.',
'Imagine life without hunting. Now slap yourself and never do it again.',
'Opening day of hunting season should be a national holiday.',
'If I\'m not hunting, I\'m thinking about it.',
'Live to hunt. Hunt to live.'
These quotes are unusual to be found in a Leak Site of a Ransomware group.
DOMAIN ANALYSIS
The clear web domain of Hunters International Leak site is hosting a service named “Onion Location Framework” which is used to power Dark Web Domain names.
During the analysis, it was found that the Threat Actors had made use of a fake identity while registering the above-mentioned domain.
The fake identity of Mihail Kolesnikov is a common scenario adopted by cyber criminals as the same identity is being tied to multiple malicious indicators such as Rilide Infostealer, Snatch Ransomware Phishing Domains, etc.
The malicious websites registered in the name of Mihail Kolesnikov are traced to Russia, and the website is registered under NiceNIC. Some of the sneak-peak into the hosted sites under Mihail are:-
Hence, we can extrapolate the fact the Ransomware group had used the most popular notorious pseudo-identity (which is used by cyber criminals for various nefarious activities) to get clubbed among other cyber criminals from getting pinpointed by anyone.
While looking up the Raw WHOIS Data, we can see the sensitive fields such as Name, Street, Phone, etc are masked due to privacy concerns.
But not all identities can be safeguarded for a longer time…
REAL IDENTITIES
During a deeper analysis of the domain, I have found the real identities behind Hunters International Data Leak Site. It is found that 2 email addresses are linked to Hunters International Leak Site:-
Out of this, the following Email Address is used to register the data leak site of Hunters International on the surface web:-
REAL IDENTITY EXPOSED
=====================
Domain: huntersinternational.org
IP: 193.106.175.48
Location: RUSSIA
Hosting Provider: IQ HOST
ASN: AS50465
Registered with: NICENIC
NOTE: This does not mean the entire infrastructure/total control of Hunters International points to these identities. But, this person/persona is (in)directly involved with Hunters International.
Due to security reasons, NOT able to share how I pinpoint the Threat Actors
FIRST EMAIL ADDRESS ANALYSIS
While checking the name OYEWOLE LAWRENCE, it is found that there is a high probability of chances that matches with a Nigerian connection as most of the same name matches with different records of Nigeria.
This could be genuine or another decoy thrown by the group to conceal their identity. Hence, we cannot take this bite…
Let’s take a deep dive into Threat Actor’s email address. While checking for the breached records, it was found that the same email address had appeared about 5+ times, as per HIBP:-
The listed leaked databases (and year of breach) are:-
BITTLY: 2014
EXPLOIT.IN: 2016
LINKEDIN: 2016
CLEARVOICE SURVEY: 2021
PDL DATA BREACH: 2019
TWITTER: 2023
From the above-listed breaches, it is confirmed that the Threat Actor(s) had been using this email address for a long time for various network activities.
As I was not satisfied with the current findings, I rigorously analyzed and collected the leaks to find the plain-text password of the threat actor.
Here are the plain-text passwords of the Threat Actor which I had uncovered:-
e97bb3b1 (previous Gmail Password)
jesusthelord (Used in forums and other services)
While uncovering the breach, I came in contact with a LinkedIn profile in the name of “LAUREL GRACE” which uses the same email address. Following is the LinkedIn profile, which is not active anymore:-
SECOND EMAIL ADDRESS ANALYSIS
This email address is being taken into consideration as both of these Email Addresses had set up the same Email Address for their recovery option in Gmail service.
The second identity points to the following details:-
Email: [email protected]
Registrant Name: Olowo Kehinde
Organization: Cac Mount Victory
Registrar: 007Names
Activity Date: April 17, 2017
While searching the name “OLOWO KEHINDE”, it again points to Nigeria.
This again solidifies that there is a strong NIGERIA connection of Threat Actors or its affiliates.
TRACKING IP ADDRESS…
While checking the reputation score of the hosted IP (193.106.175.48), it is found that the same had previously been associated with loseriedia[.]xyz which is hosted as a C2 for RedLine Stealer Botnet.
It had also hosted many Phishing Domains related to Gift Card in 2023.
While digging up the server architecture, it was found that Hunters International Domain is hosted on a Linux Debian Machine powered by an nginx server.
Fingerprint of Huntersinternational.orgHost Key Fingerprint: 48b0a224697ead43ca1272c34a4777662049964913f083a40a5458a4ee1f78a6
TOR ONION DOMAINS
Here is a list of Onion Domains maintained by Hunters International on Dark Web:
TOR ONION DOMAINS
=================
https://hunters55rdxciehoqzwv7vgyv6nt37tbwax2reroyzxhou7my5ejyid.onion/
https://hunters55atbdusuladzv7vzv6a423bkh6ksl2uftwrxyuarbzlfh7yd.onion/
https://hunters33dootzzwybhxyh6xnmumopeoza6u4hkontdqu7awnhmix7ad.onion/
https://hunters33mmcwww7ek7q5ndahul6nmzmrsumfs6aenicbqon6mxfiqyd.onion/
By observing the domains, it is notable that the group has managed to maintain vanity domain names differently for Leak Blog and Victim Portal.
The domain that starts with hunters55 is LEAK BLOG
The domain that starts with hunters33 is VICTIM PORTAL
And here is the landing page of Leak Blog:-
As the group had used Vanity Address Generator for v3 Onion Domains, it can be presumed that there is a high-chance of a Github tool named mkp224o being used to generate the Onion Domains of Hunters International for TOR network.
HEALTHCARE — SPECIALLY TARGETED SECTOR
By visiting the victim list, it is found that the group is more focused to target Healthcare Systems in US and Europe.
Following is the list of Victims compromised by Hunters International related to Health Sector till now:-
Bradford Health
Blackstone Valley Community Health Care
Fred Hutchinson Cancer Research Center
Azienda USL di Modena
Covenant Care
Crystal Lake Health Center
Deegenbergklinik
Dr. Jaime Schwartz MD, FACS
Recently, INTEGRIS — The largest Oklahoma-owned health system in the US hit by ransomware. The same Modus Operandi of Hunters International is being observed (similarly happened with Fred Hutchinson Cancer Research Center) as patients received a threatening email to pay $50 to prevent data sales on Dark Web.
As INTEGRIS has not yet listed till now (ATTOW), there is a high possibility of chances the same to appear on Hunters International DLS in future.
WHY DATA LEAK SITE EXISTS?
Ransomware-as-a-service (RaaS) sites may launch data leak sites for several reasons:
1. Coercion and Pressure: By threatening to expose sensitive data, attackers can coerce victims into paying the ransom quickly.
2. Additional Revenue Stream: Some ransomware groups may exploit the data even if the victim pays the ransom. They can sell it on the dark web or use it for other malicious purposes, generating additional income beyond the ransom payment.
3. Publicity and Reputation: Publicizing successful attacks and data leaks can enhance the reputation of the ransomware group within criminal circles, potentially attracting more customers to their RaaS offerings.
4. Pressuring Victims and Partners: Data leak sites can pressure not only the immediate victim but also their partners, clients, or customers, amplifying the impact of the attack and potentially increasing the likelihood of ransom payment.
5. Self reporting about Data Leak to SEC: Ransomware Operators like ALPHV had reported about the data breach of their victim directly to SEC Authority to make it noticeable as the company didn’t turn to report it in 4 days. This brings organizations to a bad light, hence tampering their business reputation.
Generating more views on these data leak sites serves to amplify the pressure on victims and increase the likelihood of ransom payment. More views mean more attention from the media, law enforcement, and potential buyers of the stolen data, strengthening the attackers’ position and their ability to extract payments.
CONCLUSION
It can be assumed that the Threat Actors started their malicious activities in 2017 (or much before) which evolved later into Ransomware (newcomers) in 2023 and is currently active.
From the above indicators, we can also assume that the Threat Actors had a strong connection to Nigeria, but still we can’t conclude as these might be a persona/fake identity adopted by Hunters International.
IOC
TOR Domain
==========
hunters55rdxciehoqzwv7vgyv6nt37tbwax2reroyzxhou7my5ejyid.onion
hunters55atbdusuladzv7vzv6a423bkh6ksl2uftwrxyuarbzlfh7yd.onion
hunters33dootzzwybhxyh6xnmumopeoza6u4hkontdqu7awnhmix7ad.onion
hunters33mmcwww7ek7q5ndahul6nmzmrsumfs6aenicbqon6mxfiqyd.onionEmail Addresses
===============
[email protected]
[email protected]
Surface Web Domain: huntersinternational.org
IP:193.106.175.48
ASN: AS50465
Domain Fingerprint (SHA256): 48b0a224697ead43ca1272c34a4777662049964913f083a40a5458a4ee1f78a6
Soon after I had posted about my quick finding on Twitter and LinkedIn, both their dark web and surface web domains were not reachable. This might be due to the effect caused by my tweet and LinkedIn Post, or the group might have gotten disconnected to load a new batch of victims to their DLS, or else there may be fresh Onion Domains to be announced… Who knows!
NOTE:- The article is contributed to Netenrich Technolgies and is not subjected to be used/published anywhere without the Author’s consent.