Anatomy of an Attack: Hunters International Ransomware

Hunters International is a ransomware-as-a-service (RaaS) operation that first emerged in October 2023, claiming over 200 victims since its inception. In November 2024 alone, the group claimed 24 victim organizations — for an average of nearly one per day.

Known for its adaptable design, Hunters International ransomware is written in Rust, enabling it to bypass detection, accelerate encryption, and ensure cross-platform compatibility. The malware shares code similarities with Hive ransomware but improves upon Hive’s design by streamlining command-line options and optimizing key management. Notably, it embeds encryption keys within the encrypted files — a technique that complicates decryption while simplifying the recovery process for victims who pay the ransom.

In this report, we analyze an incident where attackers exploited a publicfacing Oracle web server to gain initial access to a victim’s network. Following this, they conducted reconnaissance and lateral movement using commodity tools, exfiltrated sensitive data, disabled data recovery options, and finally encrypted files using the Hunters International encrypter. We also provide malware analysis and recommendations for detecting, mitigating, and hunting for this type of activity.