Risky Bulletin: Hunters International ransomware shuts down, releases decryption keys - Risky Bulletin

Summary7 min read

Risky Bulletin: Hunters International Ransomware Shuts Down, Releases Decryption Keys
Hosted by Claire Aird | Released on July 4, 2025

The latest episode of Risky Bulletin delves into significant developments in the cybersecurity landscape, highlighting ransomware shutdowns, major data breaches, law enforcement actions, and emerging threats. Hosted by Claire Aird and prepared by Catalyn Kimpanu, this edition provides a comprehensive overview of recent cyber incidents and responses from around the globe.

1. Shutdown of Hunters International Ransomware Operation

The episode opens with a major update on the Hunters International ransomware group, which has officially ceased its operations and has pledged to release free decryption keys to its victims. This group, responsible for over 300 attacks since its inception in late 2023, targeted prominent organizations such as India's Tata Technologies and the US Marshals Service. Hunters International was formed by former members of the Hive ransomware gang, which was dismantled earlier in 2023. In addition to ransomware activities, Hunters launched a separate World Leaks platform, expanding their cybercriminal endeavors.

"The Hunters International group has been a significant threat since its launch, and their decision to shut down is a noteworthy development in the ransomware landscape," notes Claire Aird.

2. FBI Investigates Ransomware Negotiator for Kickbacks

Further complicating the ransomware ecosystem, the FBI is currently investigating a former employee of Digital Mint, a security firm, for allegedly accepting kickbacks from ransomware gangs. This individual, whose role involved negotiating payments during ransomware attacks on behalf of clients, is accused of diverting funds to malicious actors when companies opted to pay ransoms.

According to Bloomberg, the employee received incentives from ransomware groups to convince organizations to comply with their demands. In response, Digital Mint has terminated the employee and is proactively notifying affected customers about the ongoing investigation.

3. Massive Breach of Brazilian Financial Institutions

A significant breach has targeted the Brazilian financial sector, with hackers successfully infiltrating CNM Software, an IT provider for Brazilian banks. This cyberattack resulted in the theft of over $185 million, affecting six financial institutions, including BNP Bank. Following the breach, Brazil's central bank ordered CNM to disconnect all its customers to facilitate a thorough investigation, although operations have since resumed.

"The scale of this breach underscores the vulnerabilities within financial service providers and the critical need for robust cybersecurity measures," states Claire Aird.

4. Security Breach at Qantas Customer Support Center

Australian airline Qantas has reported a security breach at one of its customer support centers. An unauthorized actor gained access to a third-party system housing sensitive details of 6 million customers. The airline is actively investigating the extent of the incident and its impact on customer data.

In related news, the FBI, in collaboration with Google and Palo Alto Networks, issued warnings about the Scattered Spider group, which has been targeting airlines with ransomware attacks. The convergence of these threats highlights the persistent targeting of the aviation sector by cybercriminals.

5. Ransomware Attack on German Charity

A disturbing ransomware attack has affected Deutsche Welthungerhilfer (World Hunger Help), a German charity dedicated to providing food and water to communities grappling with hunger. The Raisita ransomware group claimed responsibility for the attack in June, demanding a ransom of $2.2 million. In response, the charity has shut down all IT systems to mitigate further damage and restore operations.

"The impact on organizations like Deutsche Welthungerhilfer demonstrates how ransomware can disrupt humanitarian efforts, beyond just financial losses," Claire Aird emphasizes.

6. Russian Government's Anti-Scam Initiatives

In an effort to combat telephone scams, the Russian government plans to establish a comprehensive database of known scammers. This database will include voice samples, phone numbers, and caller IDs, with Russian mobile operators required to display warnings for incoming calls recognized as fraudulent. Additionally, these voice samples will be made accessible to law enforcement agencies to aid in scammer identification and prevention.

7. U.S. Efforts to Address Telecom Breaches

U.S. officials assert that they have largely contained the Salt Typhoons breaches affecting U.S. telecommunications companies last year. Brett Leatherman, the FBI's Cyber Division Leader, stated, "The agency is focusing on supporting victims and evicting the hackers" at [timestamp not provided]. Despite these containment efforts, Cyberscoop reports that substantial costs related to addressing the breaches remain forthcoming.

Simultaneously, U.S. Customs and Border Protection (CBP) is seeking proposals for new data analysis tools capable of processing information from seized devices. According to Wired, CBP requires technologies that can analyze data from laptops and smartphones to identify hidden messages and discern patterns within user data, enhancing their investigative capabilities.

8. Arrests in Spain for Government Hacks and Investment Scams

Spanish authorities have made significant arrests in connection with cybercrimes. Two individuals were detained in the Canary Islands for hacking government networks and selling sensitive data online, including personal details of government officials, politicians, and journalists. One suspect is charged with conducting the hacks, while the other managed the financial aspects of their operations.

In a separate case, Spanish police have apprehended 21 suspects involved in an investment scam ring. Operating call centers in Barcelona, the group promoted fake investment platforms on social media, defrauding victims of over 10 million euros by convincing them to invest their savings.

9. Sentencing of Andrei Smirnov for DDoS Attacks

In a noteworthy legal outcome, Andrei Smirnov, a 36-year-old individual, has been sentenced to 16 years in a high-security prison for launching DDoS attacks against Russian critical infrastructure. Smirnov, arrested in 2020 in the city of Byelova, was reported by Russian officials to have conducted these attacks under the direction of Ukrainian intelligence services, illustrating the complex interplay between cyber activities and geopolitical tensions.

10. Malicious Firefox Extensions Targeting Crypto Users

A concerning discovery by Koi Security revealed over 40 malicious Firefox extensions within the official store. These extensions masquerade as legitimate crypto wallet brands but contain malicious code designed to steal wallet credentials. The campaign, which began in April, utilized fake reviews to enhance the extensions' credibility. Koi Security attributes this operation to a Russian-speaking threat actor, highlighting the ongoing risks within browser extension ecosystems.

11. Iranian State-Sponsored Cyber Activities

Security firm Armis has reported that Iranian state-sponsored hackers are providing sophisticated tools and training to hacktivist groups targeting Israel and Western nations. Additionally, Recorded Future indicates that Iran is leveraging hacktivist proxies to carry out cyberattacks, thereby attempting to evade direct military reprisals. This collaboration underscores the evolving strategies of state actors in cyberspace, blending state resources with non-state actors to achieve strategic objectives.

12. Emergence of Android Malware Targeting Financial Apps

A new variant of Android malware, named Quiz Serial, has been identified by Group IB. This malware intercepts SMS messages used for multi-factor authentication in financial applications, affecting approximately 100,000 users, primarily in Uzbekistan where SMS remains the prevalent method for securing transactions. The rise of such malware emphasizes the vulnerabilities in mobile security, especially concerning authentication mechanisms.

13. Google's $314 Million Lawsuit Over Mobile Data Practices

In a landmark legal development, Google has been ordered to pay $314 million to Californian users in a class-action lawsuit. Plaintiffs allege that Google inflated their mobile bills by generating unwarranted network traffic, including unsolicited advertising and data collection activities while devices were idle. The lawsuit, which encompasses 49 additional U.S. states, is slated for further proceedings in April next year, potentially setting a precedent for tech companies' responsibilities regarding user data and consent.

14. Cisco's Removal of Vulnerable SSH Credentials

Cisco has taken action to remove a set of hard-coded SSH credentials from its enterprise telephony platform, specifically the Unified Communications Manager. These credentials, inadvertently embedded during the platform's development, posed a significant security risk by potentially allowing attackers to gain root access. Cisco's prompt response highlights the importance of secure coding practices and the need for vigilance in software development to prevent such vulnerabilities.

15. Exploitation of Call of Duty World War II Vulnerability

The episode concludes with reports of a vulnerability in Call of Duty: World War II being actively exploited in the wild. Players have experienced unauthorized file pop-ups containing threatening messages on their PCs during gameplay. While Activision has yet to confirm these hacks, the incidents follow a surge in new player activity after the game was added to the Xbox Game Pass. Previous Call of Duty titles have encountered similar security issues, pointing to an ongoing challenge in securing popular gaming platforms against cyber threats.

Conclusion

This episode of Risky Bulletin underscores the dynamic and multifaceted nature of cybersecurity threats and responses. From the dissolution of a major ransomware group to intricate law enforcement operations and emerging malware threats, the landscape remains highly volatile. The insights provided by Claire Aird offer listeners a thorough understanding of current challenges and the measures being implemented to counteract them. Staying informed through such detailed analyses is crucial for individuals and organizations alike to navigate the ever-evolving cyber realm effectively.

This summary is based on the transcript provided and structured to encapsulate the key points discussed in the episode. For more detailed information, listeners are encouraged to tune into the full episode of Risky Bulletin.

Loading summary

Transcript1 lines

[00:04]
Claire Aird
A ransomware operation shuts down and releases free decryption keys. The FBI investigates a ransomware negotiator for taking kickbacks. Spain arrests two over government hacks and hackers steal $185 million from Brazilian financial institutions this is the risky bulletin prepared by Catalyn Kimpanu and read by me, Claire Aird today. Today is the 4th of July and this podcast episode is brought to you by Sandfly Security. The Hunters International ransomware operation has shut down and is promising free decryption keys to its victims. The group is linked to more than 300 attacks, which included India's Tata Technologies and the US Marshals Service. The platform was launched in late 2023 by former members of the Hive ransomware gang. Hive was seized earlier that year. Hunters launched a separate world Leaks platform in in other news, the FBI is investigating a former security firm employee who is accused of taking cuts from ransomware payments. The employee worked for Digital Mint. His role involved helping the company's customers negotiate payments during ransomware attacks. According to Bloomberg, the employee received kickbacks from ransomware gangs if companies were convinced to pay. Digital Mint says it fired the employee and began notifying affected customers when the company was made aware of the investigation. Hackers have breached an IT provider for Brazilian banks and stolen more than $185 million. The hack targeted financial service provider CNM Software. Six institutions have been affected, including BNP Bank. Brazil's central bank ordered C and M to disconnect all its customers while it investigated the hack. It's now resumed operations. Australian airline Qantas has disclosed a security breach at one of its customer support centres. A threat act gained access to a third party system that stored the details of 6 million customers. The airline is still investigating the incident. Last week, the FBI, Google and Palo Alto Networks warned the scattered Spider group was targeting airlines. A ransomware attack has disrupted the activity of a German charity that feeds starving children. The Deutsche Welthungerhilfer has shut down all IT systems following the attack in June. The organisation's name translates to to World Hunger Help. It delivers food and water to global communities affected by hunger. The Raisita ransomware group has taken credit for the attack and is demanding a $2.2 million ransom. The Russian government will build a database of known telephone scammers. It will include voice samples, phone numbers and caller IDs. Russian mobile operators will have to display warnings on screens when incoming calls are from a known scam number. The voice samples will be shared with law enforcement. U.S. officials claim to have largely contained salt typhoons breaches of US telcos last year. The FBI's cyber division leader, Brett Leatherman, said the agency is focusing on supporting victims and evicting the hackers. Cyberscoop reported that an imposing costs phase is still ahead. U.S. customs and Border Protection is seeking pitches for new products to analyse data from seized devices. The tools must be able to analyse data from laptops and smartphones, including contacts, messages, videos, photos, according to Wired. CBP wants the products to identify hidden messages and find patterns in users data. Spanish police have arrested two individuals accused of hacking government networks and selling data online. They were arrested in Spain's Canary Islands. Officials say the data included personal details and credentials of government officials, politicians and journalists. One suspect is accused of the hacking, while the second managed the financial side of the operation. Spanish Authorities have detained 21 suspects charged with running an investment scam ring. The group operated call centres in Barcelona and promoted fake investment portals on social media. The suspects allegedly made more than 10 million euros by convincing victims in Spain to invest their savings. A man who launched DDoS attacks against Russian critical infrastructure has been sentenced to 16 years in a high security prison. 36 year old Andrei Smirnov was arrested in 2020 in the city of Byelova. Russian officials said the man launched the attacks at the behest of Ukrainian intelligence services. More than 40 malicious Firefox extensions have been found in the official store. The extensions impersonated crypto wallet brands and contained code to steal wallet credentials. Koi Security says the extensions are part of a campaign that started in April. Fake reviews were used to boost their popularity. Koi Security believes the campaign is the work of a Russian speaking threat actor. Iranian state sponsored hackers are allegedly providing tools to hacktivist groups attacking Israel and the West. Security firm Armis said the assistance was significant and included hacking tools and training resources. Recorded Future says Iran is using hacktivist groups as proxies in an attempt to avoid a military response. A new Android malware has been discovered that intercepts SMS messages for financial apps. According to security firm Group IB, the Quiz serial malware has affected around 100,000 users. Most infections are in Uzbekistan, where SMS is still the primary method of multi factor authentication. Google's been ordered to pay $314 million to Californian users. In a class action lawsuit, the plaintiffs argued that Google increased their mobile bills by generating unwanted network traffic on their devices. The traffic included targeted advertising and data collection that occurred while devices were idle. A federal lawsuit covering the 49 rem remaining US states is scheduled for April next year, Cisco has removed a set of hard coded SSH credentials from its enterprise telephony platform. The credentials within the Unified Communications Manager could have been abused by attackers to gain root access. Cisco says the credentials were left in the code during the platform's development. And finally, a vulnerability in the Call of duty World War II game has been exploited in the wild, some players have reported. Mysterious files appearing on their PCs in game pop ups containing threatening messages have also been reported. Activision has not confirmed the hacks. The attacks followed a surge in new players this week when the title was added to the Xbox game Pass. Older Call of Duty titles have been affected by similar issues in the past, and that is all for this podcast edition. Today's show was brought to you by Sandfly Security. Find them@sandflysecurity.com thanks to your company.