Follow best practices in threat detection and response
Use specialized threat detection rules — including EDR telemetry logs to help identify and automate incident response
Hunters International is a ransomware-as-a-service (RaaS) operation that first emerged in October 2023, claiming over 200 victims since its inception. In November 2024 alone, the group claimed 24 victim organizations, an average of nearly one per day:
Known for its adaptable design, Hunters International ransomware is written in Rust which enables it to bypass detection, accelerate encryption and ensure cross-platform compatibility. The malware shares code similarities with Hive ransomware but improves upon Hive’s design by streamlining command-line options and optimizing key management. Notably, it embeds encryption keys within the encrypted files, a technique that complicates decryption while simplifying the recovery process for victims who pay the ransom.
In a new threat briefing, we analyze an incident where attackers exploited a public-facing Oracle Web Server to gain initial access to a victim’s network. Following this, they conducted reconnaissance and lateral movement using commodity tools, exfiltrated sensitive data, disabled data recovery options, and finally encrypted files using the Hunters International encrypter. The full threat briefing also provides malware analysis and recommendations for detecting, mitigating, and hunting for this type of activity.
Below, we summarize the incident and how Forescout can help to mitigate this type of threat.
Incident Description: Hunters International Ransomware
In July 2024, we observed an increase in security alerts on a network we monitored, signaling potential malicious activity. We only had partial endpoint visibility on that account as part of a proof-of-concept engagement, so these alerts were inconclusive at the time. The alerts were subsequently connected to a broader attack campaign.
By September 2024, the attackers posted information about their activities on data leak sites, confirming our suspicions. During the investigation, we uncovered evidence of exploitation attempts targeting multiple vulnerabilities, credential dumping, and the use of SMB and RDP for lateral movement across the network.
After a thorough investigation, we reconstructed the sequence of events leading to the incident with some limitations due to partial visibility. The process is summarized in the figure below:
Initial Access
The investigation identified two potential methods by which the attacker might have gained access to the environment.
Renamed AutoIt Malware The attackers deployed renamed AutoIt malware, followed by network scanning activity. They also attempted to compromise domain controllers using Zerologon and SECRETSDUMP DCSYNC demonstrating their intent to escalate privileges and gain control over the domain.
Oracle WebLogic Server The attackers connected to the debug port 8453 of an Oracle WebLogic server which allowed them to execute commands as java.exe and install the China Chopper web shell. The exact method of compromise for the Oracle machine remains unknown, whether through a vulnerability or another vector.
Reconnaissance and Lateral Movement
After gaining access, the attackers conducted reconnaissance and lateral movement to map the network and escalate privileges. They created a folder to store tools and information about the environment, such as network locations, domain trust relationships and user details.
The attackers obtained an account with administrative rights and gathered local system credentials using SAM and SYSTEM hive dumps to move laterally.
To gain full control over the domain, the attackers exploited domain services possibly using DFSCoerce to manipulate the domain controller. This allowed them to access the Active Directory database, which they dumped.
The attackers used a variety of common administrative and red teaming tools for lateral movement, including:
Plink
Impacket
AnyDesk
TeamViewer
RDP leveraging the exposed Administrator account, and domain admin accounts.
They also added accounts to the Administrator or RDP groups to maintain access. In addition to targeting Windows systems, the attackers also investigated Linux machines by running commands to gather information about user privileges and system settings.
Impact: Data Collection, Exfiltration and Encryption
The attackers escalated their campaign by targeting a database server, from which they dumped contents that were later exfiltrated to the MEGA file-sharing service, indicating a deliberate and efficient data exfiltration strategy.
Subsequently, the attackers unzipped and executed the final ransomware payload, encrypter_windows_x64.exe. Once deployed, the ransomware systematically disabled backup and recovery options by erasing shadow copies and disabling Data Execution Prevention (DEP). The ransomware enumerated files across the system, encrypted them and propagated its activity across the entire network. It left a ransom note behind on affected systems.
TTPs and Detection Opportunities
The full threat briefing details the following tactics, techniques and procedures used by the Hunters International attackers.
Technique
Artifact
Detection Opportunity
Exploit Public-Facing Application
Debug ports (8453) on WebLogic servers
Monitor for connections to debug ports and subsequent java.exe spawning cmd.exe (or other unusual parent-child relationships)
Web Shell
China Chopper deployment in WebLogic
Track web shell command patterns. Correlate with network traffic or endpoint reconnaissance commands.
Command and Scripting Interpreter
Usage of cmd.exe
1. Monitor parent child relationships. 2. Pair observations with command line arguments and length analysis.
User Execution
Users downloading and executing malicious files
Perform long tail analysis, identify new executables, track their prevalence and user’s context
External Remote Services
Unauthorized deployment of Remote Monitoring and Management (RMM) tools (e.g. AnyDesk, TeamViewer)
Monitor for RMM installation and associated network connections. Start with LOLRMM and establish a baseline of known RMM tools in the environment to detect anomalies.
Remote Desktop Protocol
RDP abuse for lateral movement
Build baseline of RDP connections and authentication patterns. Detect deviations, new connections, or changes in RDP configurations on the host.
Scheduled Task
Execution of batch file using schtasks
Monitor: 1. Windows events 4698 – 4702 in “Microsoft-Windows-Security-Auditing” channel. 2. “Microsoft-Windows-TaskScheduler/Operational” logs 3. File creations in C:\Windows\System32\Tasks folder (Sysmon Event 11) with svchost.exe as the creation process 4. Registry changes (CreateKey, DeleteKey, SetValue) (Sysmon Events 12,13,14) svchost.exe is the Image and TargetObject is the path 5. Image load events for taskschd.dll (Sysmon Event 7) 6. Command line arguments.
Security Account Manager
Credential dumping through SAM registry hive
Monitor access to processes and registries that support credential dumping.
Forced Authentication
Coercion attacks against domain controller
Track event ID 5145 in Microsoft-Windows-Security-Auditing for IPC$ in ShareName and RelativeTargetName containing netdfs, lsarpc, efsrpc , srvsvc, samr or netlogon.
Valid Accounts
Use of administrator and privileged accounts for lateral movement
Establish a baseline of normal user actions, locations and execution formats. Detect deviations from expected behavior.
System Information Discovery
Enumeration using built-in tools (LOLBINs)
Create a baseline for expected enumeration behaviors, including who performs them, from where, and in what format. Detect deviations from these patterns.
SMB/Windows Admin Shares
File transfer using SMB
Track suspicious file patterns (e.g. delete.me) against a baseline. Analyze network traffic for deviations in SMB connections. Perform long-tail analysis of transferred files to detect uncommon executables. Track connections to Admin shares.
Disable or Modify Tools
Security control tampering
Monitor for DEP changes or security tool tampering using bcdedit.exe.
Indicator Removal on Host
Deletion of volume shadow copies
Track shadow copy deletions via VSSadmin.exe
Data Encrypted for Impact
Ransomware encryption and ransom notes
Detect ransomware activity with file encryption via encrypter_windows_x64.exe and the creation of ransom notes (read me now!.txt) across multiple accounts
Exfiltration Over C2 Channel
Data staging and movement
Monitor large data transfers using network byte analysis (inbound and outbound)
Data from Local System
Database targeting and dumps
Track changes to xp_cmdshell settings and detect mysqldump operations
Application Layer Protocol
Potential C2 communication via ncat on port 1752
Monitor connections to port 1752 and associated IP addresses.
How Forescout Can Help
Forescout Threat Detection & Response (TDR) is equipped with specialized detection rules designed to identify and mitigate ransomware attacks, such as those orchestrated by the Hunters International group. By aggregating telemetry and logs from diverse sources including security tools, applications, and other enrichment sources, Forescout TDR correlates attack signals to generate high-fidelity threats for analyst investigation and facilitates automated response actions across the enterprise.
The following rules are instrumental in detecting activities associated with Hunters International attacks:
CY-IR-0010 – EDR Telemetry: Execution Of ‘net.exe’ Detected
CY-IR-0013 – EDR Telemetry: Suspicious Execution Of ‘regsvr32.exe’
CY-IR-0040 – EDR Telemetry: PowerShell Started New Process
CY-IR-0078 – EDR Telemetry: Lateral Movement Detection
CY-IR-0097 – EDR Telemetry: Ransomware Detection
CY-IR-0197 – EDR Telemetry: WMI Execution With Command Line Redirection
The screenshots below show some of the logs ingested by TDR for this incident during the execution of the ransomware, detection of encryption activity and disabling of recovery options.
The image below shows a description of TDR rule CY-IR-0097 – EDR Telemetry: Ransomware Detection