Black Hunt Ransomware Claiming Victims

Recently, local media in Paraguay reported that Tigo, the largest mobile carrier in Paraguay, with its Tigo Business division offering digital solutions to the enterprise.

The list of provided services includes cybersecurity consulting, cloud and data center hosting, and wide area network (WAN) solutions, suffered a cyberattack directly impacting cloud and hosting services in the company's business division.

Black Hunt Ransomware Claiming Victims

It appears that those services were knocked out as far back as January 4, 2024. It was only over the following weekend that the company released a statement stating,

On January 4, we were victims of a security incident in our Tigo Business Paraguay infrastructure as a service, which has affected the normal supply of some specific services to a limited group of clients in the corporate segment (companies).

The company went on to state that certain elements of the article published by local media were incorrect. Namely, the internet, telephone services, and Tigo Money electronic wallets were unaffected by the attack. While the statement asserted that media reports were erroneous, they did not provide any information about the attack.

Following the company issuing their statement, more reports emerged on social media. Some claimed over 330 servers were encrypted, and backups were compromised, which is a clear indication of a ransomware attack. This was followed by reports saying those behind the Black Hunt ransomware were responsible for the attack.

On January 7, 2024, Paraguay's General Directorate of Information and Communication Technologies of the Armed Forces of Paraguay (FFAA) alerted businesses and individuals about Black Hunt ransomware attacks.

The statement said,

The DSIRT-MIL of the DIGETIC/FFAA, issues an official alert in relation to the recent cybersecurity incident that has significantly impacted one of the main internet service providers in the country and that has had a direct impact on more than 300 companies associated with said operator, compromising backups, web pages, emails and their cloud storage…The incident that occurred, according to reports from cybersecurity specialists, is a ransomware infection linked to a group of cybercriminals called Black Hunt.

This statement was shortly deleted after publication and raises questions about the cybercrime reporting protocols currently in place in Paraguay.

Further questions need to be answered as to whether Black Hunt was involved or not. One thing we do know for sure is that Black Hunt is a threat to businesses.

Black Hunt Operations

Following reports published on X, formerly Twitter, it would seem that Black Hunt operations launched towards the end of 2022. Those behind the ransomware have managed to keep many of its operations away from the prying eyes of security researchers, as when compared with other ransomware gangs, there is relatively little known about the gang in the public sphere.

On January 6, 2024, Fortinet discovered a ransomware sample doing the rounds. The security firm noted that the threat actors behind the ransomware's deployment were gaining access to victims' networks through vulnerable Remote Desktop Protocol (RDP) configurations.

Further, the firm stated,

Files encrypted by BlackHunt ransomware can be identified with the following filename pattern: [unique ID assigned to each compromised machine].[contact email address].Black. The ransomware also deletes shadow copies, which makes file recovery difficult. The ransomware also drops two ransom notes: one is titled “#BlackHunt_ReadMe.hta” and the other is “#BlackHunt_ReadMe.txt”...Although both ransom notes belong to BlackHunt ransomware, the notes not only include different contact email addresses but the different IDs assigned to each victim as well. The ransom note in HTA format also has a link to a TOR site, which was no longer accessible at the time of the investigation.

Bleeping Computer's analysis of the ransomware noted that when the encryptor is launched, they will perform the following commands to clear Windows event logs, delete Shadow Volume Copies and NTFS journals, and disable Windows recovery options.

Further, Black Hunt will perform a large number of changes to Windows, including disabling Microsoft Defender, adding new users, disabling System Restore, and disabling Task Manager and the Run command. These are now typical operations for most current ransomware strains.

Based on what is known, the threat actors appear to focus on keeping operational security high; this makes malware analysis somewhat more difficult for security researchers. The emergence of Black Hunt 2.0 further supports this assumption.

Reports dating back to July 2023 showed that a new variant of Black Hunt was on the loose, and modifications to its encryption ability were made to make it more effective. Files encrypted with the new version had "Hunt2.0" appended to the filename, making identification easier for victims.

Black Hunt 2.0 was also to adopt the double extortion method, as victims had sensitive data stolen before encryption. Threats were then made to release the information to the public, or highest bidder if the ransom was not paid at a specific time, 14 days, according to the pop-up notification displayed after encryption.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal