Hunters International Ransomware Is Not Shutting Down Itâs Rebranding Infosecurity Magazine

pReporter Infosecurity MagazineppIn an unusual turn of events the ransomware group Hunters International has announced that it is shutting down its operations Despite the supposed shutdown those familiar with the groups activity told Infosecurity it is likely that administrators are looking to rebrand and evolve their cybercrime tacticsppA message published in English on the Hunters International data leak site on June 3 confirmed the closure of the Hunters International projectppThe statement also said that as a gesture of goodwill the ransomware a ransomwareasaservice RaaS syndicate would offer free decryption software to all companies that have been impacted by the groups ransomwareppOur goal is to ensure that you can recover your encrypted data without the burden of paying ransoms the statement readppHunters International has been linked to Hive another RaaS group that was dismantled in January 2023 as part of a global law enforcement operationppAccording to the ransomwaretracking website Ransomwarelive Hunters International has been active since October 2023 and has claimed 307 victims to dateppThese include a US plastic surgeons clinic with an office in Beverly Hills October 2023 the London subsidiary of the Industrial and Commercial Bank of China ICBC a Chinese stateowned bank September 2024 AutoCanada September 2024 and Tata Technologies March 2025ppThe groups last known claimed victims were published on its data leak site on May 27 2025ppDespite the groups message there is no decryption key available on the groups website at the time of writingppA Prodaft threat analyst known as 3xp0rt who first spotted the groups takedown notice told the Risky Business media outlet that the decryption keys are being made available via Hunters backendppWe have information that victims are required to log in to a portal mentioned in the ransom note using their existing credentials to obtain the decryption software 3xp0rt saidppBefore the June 3 message administrators of Hunters International expressed their willingness to cease encryptionbased cyber extortion several times alreadyppAccording to several reports by GroupIB the groups operators released an internal note in Russian to their partners about the end of the project on November 17 2024ppIn a sort of farewell letter the groups leadership claimed that the ransomware business has become risky and unprofitable due to actions taken by government bodies and the negative impact caused by ongoing geopolitics globally researchers from GroupIB explained in a report published on April 2 2025ppAs a result the Hunters International operators released a new project on January 1 2025 under the name World LeaksppInstead of encrypting the data of their victims and conducting double extortion the new group would shift to encryptionless extortiononly attacksppAccording to Ransomwarelive World Leaks has been active since May 18 2025 just a few days before Hunters Internationals last victim claims and has claimed 31 victims to dateppNotably World Leaks is believed to have conducted a cyber extortion campaign against a thirdparty supplier of Swiss bank UBS in June 2025 which led to 130000 UBS employees having their data published on the dark webppHowever a report by GroupIB shared with Infosecurity suggested that the Hunters International story could be more complicated than a simple rebrandppThe report initially shared with the firms customers as a TLPAmber notification in January 2025 indicated that a Hunters International administrator published a note in the groups affiliate panel on January 18 to inform them that the project would not be closed yetppAfter being translated from Russian to English the note read We are pleased to inform you that the collective decision was to resume the work of the data encryption projectppAccording to the GroupIB report the operator claimed the decision was made after the new project World Leaks contained many bugsppDissent Doe a pseudonymous cybersecurity blogger and author of the website DataBreachesnet reported on July 3 that a World Leaks spokesperson told them that the group of people that started World Leaks had parted company with some Hunters International administrators over the use of encryptionppWe were a part of them but separated due to differences in views and ideas The main difference is that we dont want to harm businesses by blocking their operability the spokesperson reportedly saidppData extortion is a much better business model because it doesnt render companies inoperable and boosts overall cybersecurity to protect private customers data they addedppHowever in its latest Englishlanguage message announcing the shutdown of its operations Hunters International has not mentioned World Leaks or the fact that individuals previously associated with the RaaS group would continue to conduct cyber extortion campaignsppSpeaking to Infosecurity a GroupIB spokesperson said the firms threat intelligence analysts assessed with high confidence that World Leaks is a project operated by individuals previously involved in the administration of Hunters InternationalppAlthough the group behind Hunters International has not publicly acknowledged any connection to World Leaks the GroupIB spokesperson said their research indicated that internal communications suggested a coordinated transition to World LeaksppThe absence of any reference to World Leaks in the July 3 message appears intentional and is likely designed to control the narrative and delay attribution they addedppThe threat intelligence analysts acknowledged that the group of administrators previously running Hunters International may have split into two groups one that shut down operations and the other that continued encryptionless extortion activity under the name World LeaksppHowever they believe this scenario to be a secondary lowerconfidence theoryppInstead it is more likely that the administrators rebranded in a move to distance World Leaks from the ransomware labelppContinuing under the Hunters International name which was strongly associated with double extortion could confuse victims or lead to misattribution Disassociating from a known entity allows the group to evade immediate scrutiny and reputational baggage This tactic also helps them maintain the illusion of operational integrity while continuing illicit activities under a new guise The timing and vagueness of their shutdown announcement reinforce this interpretation GroupIB addedppFinally the GroupIB analysts assessed that while they have not been able to verify their effectiveness the apparent release of free decryption keys is far from a mere gesture of goodwill as the group claimedppInstead the analysts believe the move to be another deliberate attempt to prevent public association between Hunters International and World Leaks and a reputational tacticp