GOLD CRESCENT
Objectives
Aliases
Tools
SUMMARY
GOLD CRESCENT is a financially motivated cybercrime group that operates the Hunters International name-and-shame ransomware-as-a-service (RaaS) scheme. The group does not advertise for affiliates on underground forums, likely operating a private service that relies on a relatively small group of individuals to steal data and deploy ransomware. That said, affiliates do not partner exclusively with Hunters International. CTU researchers are aware of one incident involving a victim receiving ransom demands from both the group and LockBit as a result of the same compromise, and at least one other victim was named on the Hunters International and LockBit leak sites in quick succession.
Hunters International named its first victim on a dedicated leak site in October 2023. Since then, the group has listed victims at an average of around 15 a month. Unusually for a leak site, Hunters International distinguishes between victims that have had data stolen, those that have had systems encrypted, or both.
Early third-party analysis of the Hunters International ransomware binary, which is written in Rust and appends the files it encrypts with the .locked extension, suggests significant similarity to Hive ransomware. In fact, some antivirus vendors continue to detect it as Hive. These similarities prompted some to speculate that Hunters International was a rebrand of Hive, whose infrastructure was taken down by the U.S. Federal Bureau of Investigation (FBI) in January 2023. However, no arrests were made and no sanctions were levied against individuals associated with Hive ransomware activity. This speculation prompted the operators of Hunters International to issue a statement on their leak site to disavow these claims and allege that any similarities between the ransomware binaries were down to purchasing the source code from the Hive operators. If such a purchase was made, it was not a public transaction.
Information about the tactics, techniques and procedures (TTPs) used in Hunters International ransomware deployments is scant. However, affiliates likely use a variety of methods to conduct attacks. In August 2024, Quorum Cyber reported on the use of a custom tool in Hunters International ransomware intrusions that the company called SharpRhino. SharpRhino masquerades as a legitimate Nullsoft installer for the Angry IP scanning tool but acts as a remote access trojan (RAT). It maintains persistence by modifying the registry and installing itself in multiple locations for redundancy.
Contact Us
Contact us directly whether your organization needs immediate assistance or you want to discuss your incident readiness, response, and testing needs.