Ransomware has a long history, first established in 1989 with the introduction of the AIDS Trojan, of use by criminals to force organizations and regular people to hand over money. Trustwave SpiderLabs follows the continuously changing history of ransomware and those behind the malware in Energy and Utilities Sector Deep Dive: Ransomware Threat Groups, a supplementary report to the team’s just released 2025 Trustwave Risk Radar Report: Energy and Utilities Sector.
SpiderLabs researchers note how, over the years, the attacker’s methodology has mutated as technology has advanced. No longer does the threat group demand money be physically sent, as with the AIDS Trojan, to an address for collection. Instead, they quickly adopted sending money digitally. This morphed further with the introduction of cryptocurrency, then added to the practice of extortion, double extortion, and now ransomware-as-a-service (RaaS).
Additionally, SpiderLabs looks at the resilience displayed by various threat groups. Many are dismantled or disrupted by law enforcement but make a comeback or reappear under a new name.
Most importantly, these groups pay special attention to the energy and utility sectors as disrupting organizations in these areas has the potential for initiating widespread havoc with the public, damaging the target’s nation, and thus offering the best possible financial return via ransom payments.
Out With the Old, In with the New
Energy and Utilities Sector Deep Dive: Ransomware Threat Groups notes how well-known groups like Conti, LockBit, Cl0p, and others have been the dominant names in this space. Still, the report focuses on the bevy of newcomers like Play, Hunters International, 8Base, and others.
For each group, the SpiderLabs team examines its background, type of malware, tactics, techniques, procedures, and favorite targets and breaks down its overall capabilities.
For example, the team pointed out that Hunters International, which became the dominant threat group during the second half of 2024, is a financially motivated group operating under the RaaS model. It first emerged in October 2023, shortly after another RaaS - the Hive ransomware group was dismantled in a coordinated law enforcement operation earlier that year. Hunters International denies any connection to Hive but does use its source code and infrastructure.
The group communicates primarily in Russian and English and refrains from attacking targets in the CIS (Commonwealth of Independent States) countries, a behavior often associated with CIS or ex-CIS-based actors. Like many other RaaS operations, Hunters International is a highly opportunistic group with no specific focus on regions or industries, enabling them to cast a wide net and target victims globally (240+ DLS posts as of December 2024, with 250+ historically known to be posted in total).
Please download the report for additional details on Hunters International and the other hazardous threat groups impacting the energy and utilities sector along with its companion reports:
