Hunters International attacks Caxton and CTP Publishers and Printers

Incident Date: Apr 13, 2024

Attack Overview
VICTIM
Caxton and CTP Publishers and Printers
INDUSTRY
Consumer Services
LOCATION
South Africa
ATTACKER
Hunters International
FIRST REPORTED
April 13, 2024

Caxton and CTP Publishers and Printers Compromised by Hunters International Ransomware Group

Overview

Caxton and CTP Publishers and Printers has reportedly been compromised by the Hunters International ransomware group. The attack allegedly led to the exfiltration of 576.2 GB of data, encompassing 278,696 files, including personal and financial data.

Background

Caxton & CTP Publishers, Printers and Distributors are major participants in the South African print media industry. The company is involved in publishing a number of regional community newspapers, The Citizen daily newspaper, and one major magazine, as well as commercial printing, packaging, stationery manufacture, and book printing.

Hunters International Ransomware Group

Hunters International, a Ransomware-as-a-Service (RaaS) group, emerged in Q3 of 2023 after the discovery of source code bearing resemblances to the infamous Hive ransomware strain. In October 2023, a security researcher's analysis of the ransomware used by Hunters revealed significant code overlaps with Hive ransomware. Subsequent analysis by Bitdefender came to the same findings, leading researchers to conclude that Hive operators have handed off their malicious tool to another threat actor. Despite this, Hunters International has denied any ties to the Hive operation.

Modus Operandi

Intelligence suggests that Hunters International ransomware primarily aims to exfiltrate target data and extort victims with ransom demands for its return. One reported incident involved a plastic surgery clinic in the US, where approximately 248,000 files, including patient names and addresses, were exfiltrated. The ransomware encrypts files with the ".LOCKED" extension and leaves "Contact Us.txt" files in directories, instructing victims on how to initiate negotiation on the dark web. Successful exploitation by Hunters International typically results in significant data exfiltration prior to issuing a ransom demand, often tailored to the perceived value of the compromised organization.

Disclaimer

The Halcyon Attacks Lookout Database is compiled using publicly available information based on the hosting choices of real-world threat actors and data from a variety of trackers. This information is provided in accordance with principles of fair use. Halcyon has made reasonable efforts to sanitize and verify the data; however, we do not guarantee the accuracy, completeness, or reliability of the information provided. Updates to the database are made as new source data becomes available from reputable sources.  By accessing, viewing, or using the information within the Halcyon Attacks Lookout Database, you acknowledge and agree to do so entirely at your own risk. No reliance should be placed upon the information for decision-making, and Halcyon disclaims all liability for any inaccuracies or omissions in the data.

See Halcyon in action

Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!

1
2
3
Let's get started
1
1
2
3
1
1
2
2
3
Back
Next
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.