Hunters International, a notorious ransomware gang with ties to past high-profile cyberattacks, says it’s closing shop. The group made the announcement Thursday via its darknet extortion site, claiming it would release free decryption tools to help past victims recover data.
“After careful consideration and in light of recent developments, we have decided to close the Hunters International project,” read the statement. No further detail was given on what those “developments” might be. The group added that the decision “was not made lightly.”
Hunters International said it wanted to ensure that victims were able to recover their encrypted data without the burden of paying an extortion fee. It acknowledged the toll ransomware attacks take on organizations and framed the gesture as a form of redress.
But security experts remain doubtful. Incident responders told Recorded Future News that the group’s decryptors are often clunky or ineffective. Whether this offer brings relief to victims is still unclear.
Hunters operated for just under two years, leaving a trail of extortions. Among the most notable targets: a Seattle-based cancer center, Hoya, Tata Technologies, AutoCanada, and the U.S. Marshals Service. The group built its brand around aggressive tactics, but this week’s shutdown feels less like repentance and more like rebranding.
This isn’t the first time the group said it would walk away. In November 2024, Hunters made a similar announcement under pressure. The closure never came.
Instead, early 2025 saw the emergence of World Leaks, a new extortion outfit with familiar code and a strikingly similar website. Researchers at cybersecurity firm Group-IB believe the same people are behind both operations. Their analysis suggests World Leaks is a continuation of the Hunters effort, dressed in a new skin.
World Leaks has taken a more media-savvy approach. Its homepage now features the mastheads of international news outlets. It even invites journalists to sign up for “early access” to leaked documents related to new victims.
Group-IB suspects some of the operators behind World Leaks and Hunters may also have been part of Hive, an infamous ransomware gang dismantled by law enforcement in 2023. Similarities in code and behavior point to shared DNA.
Hunters International once claimed it had purchased Hive’s source code. But that story may have been a smokescreen, meant to distance the operators from their past. On underground forums, users often referred to Hunters as “хайв,” or Hive in Russian.
“Cybercriminals involved with ransomware claimed that they were contacted by the Hunters International’s administrator using the same instant messaging account associated with Hive,” said Group-IB in a statement. “Therefore, based on the information presented so far, we assess with moderate confidence that Hunters International is possibly a rebrand of Hive.”
If that’s true, Thursday’s announcement is less a shutdown than a sleight of hand.
For victims, the gesture may mean little. The tools offered may not work. The threat actors may simply have moved on. And the playbook, encryption, extortion, rebrand, continues.
Not Goodwill, a Rebrand
Dray Agha, senior manager of security operations at Huntress, said: “While Hunters International frames their shutdown as a ‘gesture of goodwill,’ this is likely a strategic rebrand – not repentance – as they have morphed into the group ‘World Leaks’, an extortion-only operation. Ransomware groups are pivoting to ‘steal-only’ extortion for lower risk and faster payouts, and defences must evolve beyond reliance on backups. Proactive measures like 24/7 detection and response, identity protection, and security awareness training are essential to disrupt attacks before data exfiltration can take place.”
Daniel dos Santos, Sr. Director, Head of Research at Forescout, added: “Hunters International shutting down its operations does not come as a surprise. Ransomware groups often rebrand, and it was already known that Hunters was operating in data exfiltration under the World Leaks name. Their move from data encryption to pure data exfiltration is more interesting as it confirms that ransomware gangs are well aware that law enforcement activity against ransomware is likely to increase, with the fight against these gangs ‘moving from the virtual to the real plane’ in their own words.”
Good News for Healthcare Operators?
Dos Santos says this could be good news for healthcare operators, manufacturing companies, retailers, and others that often had to stop operations in the past half decade due to ransomware encrypting their systems. “It does come at a time of record-setting data breaches, though, so it’s not all good news. The news that they will release decryptors for free should also be taken with a grain of salt. Our recent analysis of ransomware negotiations has shown that even when victims pay for decryptors, these tools often do not work, and cybercriminals offer little in terms of ‘customer support.’ I don’t expect that a freely released decryptor would work 100% of the time.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.