Blackhunt
Description
Black Hunt ransomware has been active since at least mid-2021 and operates under a double-extortion model, encrypting victim files and threatening public release of stolen data via a Tor-based leak site. It primarily targets organizations rather than individuals, with confirmed attacks in sectors including manufacturing, retail, technology, and local government. Encrypted files are appended with the .BlackHunt extension, and ransom notes (Restore_Data.txt) direct victims to Tor portals for negotiation. The ransomware is capable of terminating processes, deleting shadow copies, and disabling recovery functions to maximize impact. Initial access methods include exploitation of vulnerable RDP services and the use of compromised credentials from initial access brokers. While its activity level is smaller compared to major RaaS families, its leak site has featured victims from multiple countries, suggesting an international reach.
| External Analysis |
| https://www.bleepingcomputer.com/news/security/paraguay-warns-of-black-hunt-ransomware-attacks-after-tigo-business-breach/ |
| https://www.rapid7.com/blog/post/2024/02/05/exploring-the-not-so-secret-code-of-blackhunt-ransomware-2/ |
| Mail |
| dectokyo@cock.li |
| dectokyo@onionmail.org |
| Session |
| 9BSwYEiHoeB4pHvMDTv7waeb3AyoZaIICIdnybUnkSGVFHrPoVgOB4o4jE1yDAytERH6Y |
| Urls |
Screen |
| http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion |
Screen |