IT professionals have become targets of the Hunters International ransomware group, which uses SharpRhino RAT to infiltrate corporate networks via deceptive websites.
What happened
Hunters International uses a new C# remote access trojan called SharpRhino to target IT workers and breach corporate networks. The malware helps Hunters International gain initial infection, elevate privileges on compromised systems, execute PowerShell commands, and deploy the ransomware payload.
The malware is spread via a typosquatting site mimicking the Angry IP Scanner website, a tool used by IT professionals. It was previously distributed through a fake Advanced IP Scanner website.
Going deeper
Hunters International, which emerged in late 2023 and may be a rebrand of Hive, has targeted notable entities such as U.S. Navy contractor Austal USA, Hoya, Integris Health, and the Fred Hutch Cancer Center. The group has executed 134 ransomware attacks in 2024, ranking tenth among the most active ransomware groups.
SharpRhino spreads as a signed 32-bit installer disguised as a legitimate tool. It modifies the Windows registry for persistence and creates directories for command and control communication. The malware can execute PowerShell commands to perform various malicious activities. Quorum Cyber researchers successfully tested its capabilities by launching the Windows calculator.
See also: HIPAA Compliant Email: The Definitive Guide
What was said
“Hunters International, like most organised ransomware groups, is motivated by the opportunity for financial gain. As such, the group does not appear to prioritise any specific sector over others, and instead targets via opportunistic means,” says Quorum Cyber. Despite this, Hunters International has refrained from focusing on any organization situated in the Commonwealth of Independent States (CIS), a region under Russian influence. This bolsters the belief that this group is linked to Russia as an affiliate.
Quorum Cyber reported that the malware acts an “initial infection vector and subsequent RAT.” This marks an evolution in Hunters International's tactics, techniques and procedures (TTPs).
Learn more: FAQs: All things malware
In the know
Ransomware is a type of malicious software designed to encrypt a victim's files or lock them out of their system, demanding a ransom payment to restore access. Once deployed, ransomware can rapidly spread through a network, often exploiting vulnerabilities or tricking users into clicking malicious links. This form of cyberattack can have devastating impacts on individuals and organizations, leading to data loss, operational disruptions, and significant financial costs.
Effective prevention involves regular backups, software updates, and robust cybersecurity practices to mitigate the risk of infection and reduce the impact of potential attacks.
Why it matters
The use of SharpRhino RAT by the Hunters International ransomware group to specifically target IT workers through deceptive means, such as typosquatting and fake websites, reveals that even those with technical expertise are vulnerable.
This targeted approach highlights the sophistication of modern cyber threats and the fact that no one, even those in the IT field, is exempt from the risk of cyberattacks. The attack serves as a crucial reminder for IT professionals to remain vigilant, continuously update their security practices, and recognize that their expertise does not make them invulnerable to sophisticated and targeted cyber threats.
Read also: How cyberattacks can disrupt healthcare services
FAQs
How can I protect myself from ransomware?
To protect against ransomware, regularly back up important files, keep software and operating systems up to date, use strong passwords, enable firewalls and antivirus software, and be cautious with email attachments and links from unknown sources.
How can I recover my files after a ransomware attack?
Recovery options include restoring from backups, using decryption tools (if available), and seeking assistance from cybersecurity experts. In some cases, if backups are not available, professional data recovery services may be able to help.
Related: Recovering from a cyberattack
Can paying the ransom ensure that I will get my files back?
Paying the ransom does not guarantee that you will regain access to your files or that the attackers will not target you again. It is generally advised to explore other recovery options and report the incident to authorities.
Related: To pay or not to pay: Cyberattack ransoms in healthcare
Tshedimoso Makhene
