The ransomware-as-a-service (RaaS) operation Hunters International has announced a strategic pivot—shutting down its encryption-based ransomware campaigns and rebranding as a new extortion-only group known as “World Leaks.” The transformation, revealed by threat intelligence company Group-IB earlier this week, reflects the group’s changing priorities following increased law enforcement pressure and reduced financial returns from traditional ransomware attacks. Despite publicly declaring its shutdown in November 2024, Hunters International continued operating discreetly, eventually launching World Leaks on January 1, 2025.
ALSO READ: Now Open: Pan-India Registration for Fraud Investigators!
“From the administrator’s perspective, ransomware is no longer profitable and risky,” Group-IB stated in its latest analysis. Instead of deploying ransomware to encrypt victim systems, World Leaks has adopted a more streamlined strategy centered around data exfiltration and blackmail, using a custom-built data theft tool. This new exfiltration software appears to be an evolved version of the Storage Software tool that Hunters International had previously distributed to its affiliates. Designed to automate data theft from targeted networks, the tool enhances the group’s ability to extract sensitive information with minimal detection. Unlike its predecessor, World Leaks does not rely on encrypting data to pressure victims. Instead, the group focuses entirely on stealing confidential files and threatening to leak them unless a ransom is paid—a model seen increasingly across the cyber extortion landscape.
Hunters International initially came under the radar in late 2023, suspected to be a successor or rebrand of the Hive ransomware gang, due to notable code similarities. Its malware had cross-platform capabilities, targeting Windows, Linux, FreeBSD, SunOS, and VMware ESXi servers, supporting various architectures such as x64, x86, and ARM.
Over the past year, the group orchestrated more than 280 attacks globally, ranking it among the most aggressive ransomware operators. Noteworthy victims included:
-
Tata Technologies
-
AutoCanada, a large North American car dealership
-
U.S. Marshals Service
-
Hoya Corporation, a major Japanese optics company
-
Austal USA, a U.S. Navy contractor
-
Integris Health, Oklahoma’s largest nonprofit health network
-
Fred Hutch Cancer Center, where over 800,000 patient records were compromised
ALSO READ: Empanelment for Speakers, Trainers, and Cyber Security Experts Opens at Future Crime Research Foundation
The group’s ransom demands varied widely, ranging from hundreds of thousands to several million dollars, tailored to the size and profile of the targeted organization. With the launch of World Leaks, Hunters International is now focusing on partnering with cybercriminal affiliates, offering them access to its proprietary data exfiltration tool via a newly developed affiliate portal. This move further confirms its departure from encryption-based ransomware towards a leaner, lower-risk extortion model.
As global cybersecurity agencies and law enforcement continue to increase pressure on ransomware groups, World Leaks’ pivot is being closely monitored as a potential bellwether for future trends in organized cybercrime.
