A newly emerged ransomware gang claims to have successfully gained access to the systems of a US plastic surgeon’s clinic, leaking patients’ pre-operation pictures in an attempt to hurry a ransom payment.
The group, calling itself Hunters International, has claimed attacks on only two victims so far, with the first – a UK primary school – appearing earlier this month.
It is a really scummy move that I’m sorry to say we will be seeing more and more of
Security experts have linked Hunters to the shuttered Hive group, which was dismantled through a coordinated international law enforcement operation in January.
After its alleged attack on a US surgeon’s clinic, the group appears to be using a particularly aggressive tactic to speed up ransom negotiations that will likely be perceived as crossing a moral line, even for cybercriminals.
Hunters International shared four images of individuals whom it says are patients of Dr Jaime Schwartz – a plastic surgeon with offices in Beverly Hills and Dubai – as “proof” of the 248,245 files it claims to have stolen from the clinic.
According to the group’s leak site, it’s preparing to send bulk emails to the clinic’s patients as another fear tactic designed to hasten proceedings.
Posting a follow-up update, the group published the names, addresses, photos, and in some cases videos of alleged patients in what it’s calling the first of three total disclosures.
The clinic did not respond to The Register‘s request for comment.
How low can you go…
“It is a very low-ball extortion pressure tactic that has been used before by BlackCat which exposed cancer and breast augmentation photos,” cybersecurity analyst and researcher Dominic Alvieri told The Register.
“It is a really scummy move that I’m sorry to say we will be seeing more and more of.”
The morally questionable tactic comes a week after the BlackCat ransomware group alleged that it would start calling patients of a community hospital it attacked in another apparent attempt to ensure it secured a quick ransom payment.
After claiming an attack on Morrison Community Hospital in Illinois, it said: “Given that we haven’t received a clear response from MCH representatives, we’ve decided to release a teaser [sample of data] and initiate patient calls shortly. The hospital’s leadership has 48 hours to comply with our demands.”
Other ransomware groups are keen to display a degree of apparent “morality” when it comes to their targets. LockBit, for example, is among the most prolific groups operating currently but has routinely stepped in when its affiliates breach organizations it deems ethically off-limits.
Earlier this year it apologized for an affiliate’s attack on SickKids, Canada’s largest children’s hospital, and posted but quickly removed a listing last week for the Cerebral Palsy Associations of New York State.
“I’d say the ‘line’ is drawn by each group,” Victor Acin, threat intelligence labs manager at Outpost24, told The Register. “Some avoid healthcare institutions to avoid putting in danger the life of other human beings, but others simply see this as an opportunity they can leverage to make more money.
“In many cases, leaks of information related to confidential and sensitive information can carry heavier fines for the breached company, as it implies that they have not taken the necessary measures to secure such sensitive information, and so it is used to squeeze their targets a bit more.”
Rebuilding the Hive?
Independent cybersecurity researchers have made early links between Hunters International and the former Hive group – previously one of the most prominent ransomware gangs.
Its leak site was first spotted on October 20 by malware analyst Andrey Zhdanov, who noted that a Hunters International ransomware sample uploaded to VirusTotal indicated a match with Hive’s v6 payload.
A separate Intezer scan of the sample from another researcher revealed code overlaps with the Hive family and also SophosEncrypt – a ransomware that aims to mimic the legitimate security company Sophos. The same researcher said their analysis indicated a more than 60 percent match when looking at the code similarities between Hive and Hunters International.
Zscaler ThreatLabz was the first to announce that “Hive ransomware is back” in a post to its X account. It also analyzed the ransomware payload to find hunting-themed quotes embedded within its JavaScript code.
“On October 20, 2023 a new double extortion ransomware group calling itself Hunters International was discovered,” Zscaler ThreatLabz told The Register.
“Upon further examination, the ransomware was determined to be based on Hive (version 6) sharing approximately 60 percent of the same code.
“In addition, the ransom note contained a link to a victim ransom portal that has nearly identical backend code to Hive with a new theme. This likely indicates that the former Hive ransomware group has either rebranded as Hunters International or sold the code to another threat group.”
Confirming these suspicions, Hunters International issued a statement in the early hours of Tuesday morning, denying any links to Hive itself, instead confirming that it had bought the gang’s source code.
“We started to see that someone falsely decided that we are successors of the Hive ransomware group based on a 60 percent similarity of encryption code,” Hunters International said.
“All of the Hive source codes were sold including the website and old Golang and C versions and we are those who purchased them. Unfortunately for us, we found a lot of mistakes that caused unavailability for decryption in some cases. All of them were fixed now.
“As you may see here, encryption is not our primary goal, that’s why we didn’t do it by ourselves.”
The presence of code similarities doesn’t always mean a firm connection between groups can be established. In addition to being sold like in the case of Hive, ransomware groups’ payloads are leaked frequently and therefore code can be lifted, modified, and used by entirely different groups.
For example, Sophos X-Ops recently thwarted a ransomware attack that sought to exploit vulnerabilities in WS_FTP, and during its analysis the researchers found evidence of stolen code from LockBit’s third strain that was leaked last year.
Rather than it being an attack started by the LockBit group itself, the evidence pointed to a brand new, inexperienced group using the more established gang’s code. ®