Skip to content

Hide Navigation Hide TOC

Hunt (1b90933a-3f07-4bcf-af29-f3d880d8027e)

Hunt ransomware is a variant of the Dharma/CrySIS ransomware family. This variant creates a unique ID for each victim, appends the extension '.hunt' to encrypted files, and leaves a ransom note known as info-hunt.txt.

The Dharma/CrySIS ransomware family emerged around mid-2016 as a Ransomware-as-a-Service (RaaS) program, utilizing various initial intrusion methods such as phishing, disguising as legitimate software, and exploiting open RDP connections.

This variant uses AES-256 encryption (CBC mode) or DES+RSA and demands payment to recover files. Upon execution, the ransomware generates a 256-bit AES decryption key, which is then encrypted along with random bytes using the RSA-1024 algorithm and stored at the end of the encrypted file.

The ransomware is written in C/C++ and compiled using MS Visual Studio. Regarding geographic attribution, it has been identified in use by threat actors from Russia, Ukraine, India, and other countries.

Cluster A Galaxy A Cluster B Galaxy B Level
Virus-Encoder (15a30d84-4f5f-4b75-a162-e36107d30215) Ransomware Hunt (1b90933a-3f07-4bcf-af29-f3d880d8027e) Ransomware 1
Hunt (1b90933a-3f07-4bcf-af29-f3d880d8027e) Ransomware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 1
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Hunt (1b90933a-3f07-4bcf-af29-f3d880d8027e) Ransomware 1
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern Hunt (1b90933a-3f07-4bcf-af29-f3d880d8027e) Ransomware 1
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Hunt (1b90933a-3f07-4bcf-af29-f3d880d8027e) Ransomware 1
Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65) Attack Pattern Hunt (1b90933a-3f07-4bcf-af29-f3d880d8027e) Ransomware 1
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern Hunt (1b90933a-3f07-4bcf-af29-f3d880d8027e) Ransomware 1
Hunt (1b90933a-3f07-4bcf-af29-f3d880d8027e) Ransomware Dharma Ransomware (2b365b2c-4a9a-4b66-804d-3b2d2814fe7b) Ransomware 1
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern Hunt (1b90933a-3f07-4bcf-af29-f3d880d8027e) Ransomware 1
Hunt (1b90933a-3f07-4bcf-af29-f3d880d8027e) Ransomware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 1
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern Hunt (1b90933a-3f07-4bcf-af29-f3d880d8027e) Ransomware 1
Hunt (1b90933a-3f07-4bcf-af29-f3d880d8027e) Ransomware Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 1
Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0) Attack Pattern Hunt (1b90933a-3f07-4bcf-af29-f3d880d8027e) Ransomware 1
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern Hunt (1b90933a-3f07-4bcf-af29-f3d880d8027e) Ransomware 1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern Hunt (1b90933a-3f07-4bcf-af29-f3d880d8027e) Ransomware 1
Hunt (1b90933a-3f07-4bcf-af29-f3d880d8027e) Ransomware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 1
Hunt (1b90933a-3f07-4bcf-af29-f3d880d8027e) Ransomware Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 1
Hunt (1b90933a-3f07-4bcf-af29-f3d880d8027e) Ransomware Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 1
Hunt (1b90933a-3f07-4bcf-af29-f3d880d8027e) Ransomware Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 1
Hunt (1b90933a-3f07-4bcf-af29-f3d880d8027e) Ransomware Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 1
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Hunt (1b90933a-3f07-4bcf-af29-f3d880d8027e) Ransomware 1
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 2
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 2
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 2
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 2