Threat Intelligence Tarot
Vol. II · 137
Criminal (Hive-derived)
risk 4/5
The Inheritor
Hunters International
Hive successor · World Leaks
HealthcareManufacturingTechnologyCritical sectors globally
Active since ~2023 · Extortion, Financial gain
The Inheritor wears Hive's coat with the embroidery picked off. The seams are still visible if you know where to look — and the police that disrupted the original have a head start on the heir.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1486
Data Encrypted for Impact
Impact
T1078
Valid Accounts
Persistence
T1567.002
Exfiltration to Cloud Storage
Exfiltration
T1490
Inhibit System Recovery
Impact
T1027
Obfuscated Files or Information
Defense Evasion
T1041
Exfiltration Over C2 Channel
Exfiltration
Notable Operations
  • Code reuse from disbanded Hive ransomware operation
  • Tata Technologies breach (early 2025)
  • Pivot to data-extortion-only branding as 'World Leaks' (2024)
  • Healthcare and manufacturing pattern matching pre-takedown Hive
Defenses
  • Ransomware family lineage tracking via shared signature hunting
    MITRE D3FEND
  • Decryption tool monitoring (No More Ransom project, FBI releases)
    NIST CSF: RC.RP
  • Immutable backups tested with full-environment restores
    CIS Control 11
  • Threat intelligence subscription tracking RaaS rebrands
    NIST CSF: ID.RA
Reversed: Their Weakness
Decryptor releases tied to law enforcement disruptions (Hive, LockBit) create downstream weakness in inherited code. Defenders who treat lineage-aware detection as a primary signal often catch the heir on day one.

Share this adversary profile

Compare →

swipe to browse

← PreviousThe Beast of EdictsNext →The Loud Shame
Related Adversaries
The National Brownout
Brain Cipher
5 shared TTPs
The Loud Shame
8Base
5 shared TTPs
The Beast of Edicts
Qilin
5 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.