Ransomware gang Hunters International says it’s shutting down its operations for unexplained reasons, and is offering decryption keys to victim organizations.
The offer of decryption keys could be good news for CISOs whose data were recently scrambled and who can’t find a way to decrypt the files. However, judging from the history of ransomware gangs that have shut down before, Hunters International’s members will likely reconstitute with the heart of their code and begin anew in one or more groups.
“Whether their offer [of free decryption keys] is true or not is anyone’s guess at this point,” threat analyst Luke Connolly of Emsisoft, who has seen the Hunters announcement, told CSO. “Keep in mind that they are criminals, and ransomware groups are notorious for making false claims in support of their own objectives.”
According to a report by Singapore-based Group-IB, Hunters International announced last November that it was shutting down due to government scrutiny and lowered profits, and has been renamed World Leaks.
The report says that, unlike Hunters International, which combined data encryption with extortion, World Leaks operates as an extortion-only group using a custom-built data exfiltration tool. The World Leaks site today claims 31 victims whose data has been stolen.
There is a growing trend towards extortion-only attacks, Group-IB adds. It addition, it says ransomware operators are also adopting stealthier techniques to avoid detection.
Connolly isn’t certain of a link to World Leaks from Hunters International, but a researcher at Sophos disagrees.
“Hunters International has been responsible for listing almost 300 victims on their data leak site since they emerged in late 2023,” commented Aiden Sinnott, senior threat researcher at Sophos. “Despite their claim to shut down the Hunters International group, we believe it is likely that they have rebranded as World Leaks, a new group that does not deploy ransomware, but has conducted data theft and extortion attacks since January.”
Today’s Hunters International statement tries to make the crooks look magnanimous. “We at Hunters International wish to inform you of a significant decision regarding our operations. After careful consideration and in light of recent developments we have decided to close the Hunters International project. The decision was not made lightly and we recognize the impact it has on the organizations we have interacted with.
“As a gesture of goodwill and to assist those affected by our previous activities, we are offering free decryption software to all companies that have been impacted by our ransomware. Our goal is to ensure that you can recover your encrypted data without the burden of paying ransoms.”
To access the decryption keys, victims are asked to go to the gang’s official website.
However, SANS Institute instructor Ryan Chapman recommends IT departments willing to try that decryptor first perform malware analysis/reverse engineering within safe, sandboxed environments and not try to run these tools in production environments. “Decryption tool releases such as this have happened in the past, and are one of the primary reasons we at SANS recommend that ransomware victims back up their most critical encrypted data — you never know when you might be able to decrypt the data in the future.”
The closing of the Hunters International brand may be linked to governments forbidding, or demanding that victims report, ransom payments, as well as to increased pressure against ransomware-as-a-service gangs from police and cybersecurity companies in the past two years. Early in 2024, international law enforcement agencies arrested two members of the LockBit ransomware gang and seized the group’s web infrastructure. Then, in October, Europol announced new arrests. Also last year, the FBI said it had disrupted the Radar/Dispossesor gang and dismantled its servers in the US, the UK and Germany. In addition, a number of botnets that distribute ransomware and information stealers, such as those targeted in last year’s Operation Endgame against over 100 servers distributing malware, have been smashed or crippled.
“Is this being done in a fit of remorse, or due to potential law enforcement actions as more and more cooperation and coordination is occurring between international law enforcement entities as they go after these groups?” asked Erich Kron, security awareness advocate at KnowBe4. “It’s an answer we may never know. This may also be a rebranding, something that is believed may have happened previously with this group as many believe it was related to the Hive group when they dissolved. Either way, this is liable to leave many of their affiliates unhappy as they are not likely to get paid for the infections they started, but which free decryptors are being given to the victims.”
“Odds are at least some of these folks are going to splinter off to other groups, or may have created their own already, so organizations can’t exactly rest any easier,” he added. “Odds are any new groups spawned from this old one will continue to use tactics like social engineering to target victims, so ensuring organizations have a robust human risk management platform in place is still as critical as ever.”
According to the Group-IB report, Hunters International emerged around October 2023, when the gang said it had purchased the source code of the Hive ransomware gang and fixed its flaws. It was known for mainly attacking real estate, healthcare, and professional services sectors. For some reason, according to Group-IB, Hunters International prohibited attacks on Israel, Turkey, the entire Far East, and the Russia-linked Commonwealth of Independent States (CIS) countries. However, the report adds, data leaks from companies in these regions suggest that these rules weren’t strictly followed.
This story has been updated with comments from the SANS Institute and KnowBe4.
Next read this:
The most notorious and damaging ransomware of all time
Ransomware recovery: 8 steps to successfully restore from backup
The dirty dozen: 12 worst ransomware groups active today
The state of ransomware: Faster, smarter, and meaner
Ransomware gangs extort victims 17 hours after intrusion on average
>
>
No Responses