The Hunters International ransomware-as-a-service (RaaS) group posted a message on its dark web portal declaring the end of its operations. “After careful consideration and in light of recent developments, we have decided to close the Hunters International project,” the statement read. The group acknowledged the impact of its operations and stated that the decision was not made lightly.
In a rare move of what they called “goodwill,” the group has begun offering free decryption tools to victims to recover encrypted data without paying ransoms. All entries on their extortion site have been deleted, and affected companies have been encouraged to contact the group’s dark web portal to request assistance.
Though the gang did not clarify the “recent developments,” cybersecurity experts speculate that increased global law enforcement pressure and declining profitability may have led to the exit. In a previous update on November 17, the group hinted at impending closure due to these reasons.
Shift in Tactics: Emergence of ‘World Leaks’ Signals New Strategy
While Hunters International is shutting down, threat intelligence firm Group-IB has reported that the operators are re-emerging under a new avatar named World Leaks, which focuses solely on data theft and extortion. Unlike its predecessor, World Leaks does not encrypt files but instead relies on data exfiltration for leverage, using a custom tool reportedly derived from the Storage Software used by Hunters’ ransomware affiliates.
This pivot mirrors a broader trend in the cybercrime world, where ransomware actors are increasingly adopting extortion-only tactics, often because encrypting systems triggers quicker law enforcement responses and more aggressive countermeasures.
Legacy of Attacks: Nearly 300 Targets Across Sectors and Continents
Since its emergence in late 2023, Hunters International has quickly established itself as one of the most aggressive ransomware groups globally. The group was suspected to be a rebrand of the Hive ransomware group, due to notable code overlaps and targeting strategies. Their malware was cross-platform, hitting Windows, Linux, FreeBSD, SunOS, and VMware ESXi servers, with support for x64, x86, and ARM architectures.
Over the past two years, the group has launched attacks on prominent organizations including:
- U.S. Marshals Service
- Hoya Corporation (Japan)
- Tata Technologies (India)
- AutoCanada
- Austal USA (U.S. Navy contractor)
- Integris Health (Oklahoma)
- Fred Hutch Cancer Center, where they threatened to leak data of over 800,000 cancer patients
Ransom demands often ranged from hundreds of thousands to millions of dollars, depending on the target’s profile and size.