Cybercriminals Exit Stage: Hunters International Ceases Operations, Hands Over Decryption Keys

Hunters International Ransomware Group shuts down and returns decryption keys
The notorious ransomware-as-a-service (RaaS) group Hunters International has announced it is shutting down operations, offering free decryption keys to all previous victims as a "gesture of goodwill." According to security researchers, the group, which emerged in 2023 from the remnants of the dismantled Hive ransomware operation, has claimed responsibility for over 250 cyber attacks compromising more than 3 million records during its two-year run.

rigins from Hive Group:

Hunters International emerged in October 2023 following the dismantling of the Hive ransomware operation by law enforcement in January of the same year. While initially thought to be a direct rebrand of Hive due to approximately 60% code overlap between the two ransomware strains, Hunters International claimed to be an independent "startup RaaS" that purchased Hive's source code and infrastructure to jumpstart their operations. This acquisition allowed them to launch with a mature toolkit while making several improvements to the original code.

The group's connection to Hive extends beyond just code similarities. Security researchers noted that Hunters International's ransomware is built on Rust-based foundations—a programming language that Hive had transitioned to in July 2022 for increased resistance to reverse engineering. Unlike Hive, however, Hunters International placed greater emphasis on data exfiltration rather than encryption, with Martin Zugec of Bitdefender noting that "all reported victims had data exfiltrated, but not all of them had their data encrypted." The group has targeted organizations across approximately 30 countries, with victims spanning industries from healthcare and education to manufacturing and financial services.

Free Decryption Keys Offer:

In their shutdown announcement, Hunters International promised to provide free decryption software to all companies affected by their ransomware, allowing victims to recover encrypted data without paying ransoms. However, security professionals advise caution when using these decryption keys. As Deepwatch's Cragle colorfully put it, "Those free decryption keys? Maybe they help, maybe they hurt. It's like getting a USB in the mail labeled 'bonuses'". Victims considering using the keys should proceed with extreme caution and thoroughly vet everything to avoid potentially worsening their situation.

The availability of free decryptors doesn't necessarily signal the permanent disappearance of the threat actors behind Hunters International. Security experts like Dave Tyson of Apollo Information Systems suggest this is likely a "temporary exit, rebrand, and reshuffling of members to rebuild their anonymity". This pattern aligns with evidence that the group may have already launched a new extortion-only operation called World Leaks, which reportedly separated from Hunters International over disagreements about using encryption that renders companies inoperable.

World Leaks Rebranding:

The cybercriminal group's supposed shutdown in November 2024 proved to be misleading, as Hunters International quietly relaunched on January 1, 2025, under the "World Leaks" brand. This strategic pivot represents a fundamental shift in their business model—abandoning encryption-based ransomware entirely in favor of pure data theft and extortion tactics. According to Group-IB, the operators cited declining profitability and increased law enforcement pressure as key motivations, describing ransomware as "unpromising, low-converting, and extremely risky."

To power this new extortion-only operation, World Leaks equipped its affiliates with an upgraded version of their "Storage Software" exfiltration tool, specifically designed to automate data theft across victim networks. The group maintains its dark web leak site where stolen information serves as leverage to extract payments from victims desperate to avoid public exposure. Despite dropping encryption from their arsenal, World Leaks continues to recruit collaborators through a dedicated affiliate panel, suggesting this rebrand represents not the end of the threat actors' activities, but rather an evolution of their criminal enterprise to adapt to changing cybersecurity landscapes.