{"id":3829,"date":"2025-07-03T17:27:57","date_gmt":"2025-07-03T17:27:57","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3829"},"modified":"2025-07-03T17:27:57","modified_gmt":"2025-07-03T17:27:57","slug":"hunters-international-shuts-ransomware-operations-reportedly-becomes-an-extortion-only-gang","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3829","title":{"rendered":"Hunters International shuts ransomware operations, reportedly becomes an extortion-only gang"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Ransomware gang Hunters International says it\u2019s shutting down its operations for unexplained reasons, and is offering decryption keys to victim organizations.<\/p>\n

The offer of decryption keys could be good news for CISOs whose data were recently scrambled and who can\u2019t find a way to decrypt the files. However, judging from the history of ransomware gangs that have shut down before, Hunters International\u2019s members will likely reconstitute with the heart of their code and begin anew in one or more groups.<\/p>\n

\u201cWhether their offer [of free decryption keys] is true or not is anyone\u2019s guess at this point,\u201d threat analyst Luke Connolly of Emsisoft, who has seen the Hunters announcement, told CSO. \u201cKeep in mind that they are criminals, and ransomware groups are notorious for making false claims in support of their own objectives.\u201d<\/p>\n

According to a report by Singapore-based Group-IB<\/a>, Hunters International announced last November that it was shutting down due to government scrutiny and lowered profits, and has been renamed World Leaks.<\/p>\n

The report says that, unlike Hunters International, which combined data encryption with extortion, World Leaks operates as an extortion-only group using a custom-built data exfiltration tool. The World Leaks site today claims 31 victims whose data has been stolen.<\/p>\n

There is a growing trend towards extortion-only attacks, Group-IB adds. It addition, it says ransomware operators are also adopting stealthier techniques to avoid detection.<\/p>\n

Connolly isn\u2019t certain of a link to World Leaks from Hunters International, but a researcher at Sophos disagrees.<\/p>\n

\u201cHunters International has been responsible for listing almost 300 victims on their data leak site since they emerged in late 2023,\u201d commented Aiden Sinnott<\/a>, senior threat researcher at Sophos. \u201cDespite their claim to shut down the Hunters International group, we believe it is likely that they have rebranded as World Leaks, a new group that does not deploy ransomware, but has conducted data theft and extortion attacks since January.\u201d<\/p>\n

Today\u2019s Hunters International statement tries to make the crooks look magnanimous. \u201cWe at Hunters International wish to inform you of a significant decision regarding our operations. After careful consideration and in light of recent developments we have decided to close the Hunters International project. The decision was not made lightly and we recognize the impact it has on the organizations we have interacted with.<\/p>\n

\u201cAs a gesture of goodwill and to assist those affected by our previous activities, we are offering free decryption software to all companies that have been impacted by our ransomware. Our goal is to ensure that you can recover your encrypted data without the burden of paying ransoms.\u201d\u00a0\u00a0\u00a0<\/p>\n

To access the decryption keys, victims are asked to go to the gang\u2019s official website.<\/p>\n

However, SANS Institute instructor Ryan Chapman recommends IT departments willing to try that decryptor first perform malware analysis\/reverse engineering within safe, sandboxed environments and not try to run these tools in production environments. \u201cDecryption tool releases such as this have happened in the past, and are one of the primary reasons we at SANS recommend that ransomware victims back up their most critical encrypted data \u2014 you never know when you might be able to decrypt the data in the future.\u201d\u00a0\u00a0<\/p>\n

The closing of the Hunters International brand may be linked to governments forbidding, or demanding that victims report, ransom payments, as well as to increased pressure against ransomware-as-a-service gangs from police and cybersecurity companies in the past two years. Early in 2024, international law enforcement agencies arrested two members of the LockBit ransomware gang<\/a> and seized the group\u2019s web infrastructure. Then, in October, Europol announced<\/a> new arrests. Also last year, the FBI said it had disrupted the Radar\/Dispossesor gang<\/a> and dismantled its servers in the US, the UK and Germany. In addition, a number of botnets that distribute ransomware and information stealers, such as those targeted in last year\u2019s Operation Endgame<\/a> against over 100 servers distributing malware, have been smashed or crippled.<\/p>\n

\u201cIs this being done in a fit of remorse, or due to potential law enforcement actions as more and more cooperation and coordination is occurring between international law enforcement entities as they go after these groups?\u201d\u00a0asked\u00a0Erich Kron, security awareness advocate at KnowBe4. \u201cIt\u2019s an answer we may never know. This may also be a rebranding, something that is believed may have happened previously with this group as many believe it was related to the Hive group when they dissolved. Either way, this is liable to leave many of their affiliates unhappy as they are not likely to get paid for the infections they started, but which free decryptors are being given to the victims.\u201d<\/p>\n

\u201cOdds are at least some of these folks are going to splinter off to other groups, or may have created their own already, so organizations can\u2019t exactly rest any easier,\u201d he added. \u201cOdds are any new groups spawned from this old one will continue to use tactics like social engineering to target victims, so ensuring organizations have a robust human risk management platform in place is still as critical as ever.\u201d<\/p>\n

According to the Group-IB report, Hunters International emerged around October 2023, when the gang said it had purchased the source code of the Hive ransomware gang and fixed its flaws. It was known for mainly attacking real estate, healthcare, and professional services sectors. For some reason, according to Group-IB, Hunters International prohibited attacks on Israel, Turkey, the entire Far East, and the Russia-linked Commonwealth of Independent States (CIS) countries. However, the report adds, data leaks from companies in these regions suggest that these rules weren\u2019t strictly followed.\u00a0<\/p>\n

This story has been updated with comments from the SANS Institute and KnowBe4.<\/em><\/p>\n

Next read this:<\/p>\n

The most notorious and damaging ransomware of all time<\/a><\/p>\n

Ransomware recovery: 8 steps to successfully restore from backup<\/a><\/p>\n

The dirty dozen: 12 worst ransomware groups active today<\/a><\/p>\n

The state of ransomware: Faster, smarter, and meaner<\/a><\/p>\n

Ransomware gangs extort victims 17 hours after intrusion on average
<\/a><\/p>\n

><\/p><\/div>\n\n

><\/p><\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Ransomware gang Hunters International says it\u2019s shutting down its operations for unexplained reasons, and is offering decryption keys to victim organizations. The offer of decryption keys could be good news for CISOs whose data were recently scrambled and who can\u2019t find a way to decrypt the files. However, judging from the history of ransomware gangs […]<\/p>\n","protected":false},"author":0,"featured_media":3830,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3829","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3829"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3829"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3829\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3830"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3829"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3829"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3829"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}