Hunters International shuts ransomware operations, reportedly becomes an extortion-only gang called World Leaks

Ransomware gang Hunters International says it’s shutting down its operations for unexplained reasons, and is offering decryption keys to victim organizations.The offer of decryption keys could be good news for CISOs whose data were recently scrambled and who can’t find a way to decrypt the files. However, judging from the history of ransomware gangs that have shut down before, Hunters International’s members will likely reconstitute with the heart of their code and begin anew in one or more groups.“Whether their offer [of free decryption keys] is true or not is anyone’s guess at this point,” threat analyst Luke Connolly of Emsisoft, who has seen the Hunters announcement, told CSO. “Keep in mind that they are criminals, and ransomware groups are notorious for making false claims in support of their own objectives.”According to a report by Singapore-based Group-IB, Hunters International announced last November that it was shutting down due to government scrutiny and lowered profits, and has been renamed World Leaks.The report says that, unlike Hunters International, which combined data encryption with extortion, World Leaks operates as an extortion-only group using a custom-built data exfiltration tool. The World Leaks site today claims 31 victims whose data has been stolen.There is a growing trend towards extortion-only attacks, Group-IB adds. It addition, it says ransomware operators are also adopting stealthier techniques to avoid detection.Connolly isn’t certain of a link to World Leaks from Hunters International, but a researcher at Sophos disagrees.“Hunters International has been responsible for listing almost 300 victims on their data leak site since they emerged in late 2023,” commented Aiden Sinnott, senior threat researcher at Sophos. “Despite their claim to shut down the Hunters International group, we believe it is likely that they have rebranded as World Leaks, a new group that does not deploy ransomware, but has conducted data theft and extortion attacks since January.”Today’s Hunters International statement tries to make the crooks look magnanimous. “We at Hunters International wish to inform you of a significant decision regarding our operations. After careful consideration and in light of recent developments we have decided to close the Hunters International project. The decision was not made lightly and we recognize the impact it has on the organizations we have interacted with.“As a gesture of goodwill and to assist those affected by our previous activities, we are offering free decryption software to all companies that have been impacted by our ransomware. Our goal is to ensure that you can recover your encrypted data without the burden of paying ransoms.”To access the decryption keys, victims are asked to go to the gang’s official website.The closing of the Hunters International brand may be linked to governments forbidding, or demanding that victims report, ransom payments, as well as to increased pressure against ransomware-as-a-service gangs from police and cybersecurity companies in the past two years. Early in 2024, international law enforcement agencies arrested two members of the LockBit ransomware gang and seized the group’s web infrastructure. Then, in October, Europol announced new arrests. Also last year, the FBI said it had disrupted the Radar/Dispossesor gang and dismantled its servers in the US, the UK and Germany. In addition, a number of botnets that distribute ransomware and information stealers, such as those targeted in last year’s Operation Endgame against over 100 servers distributing malware, have been smashed or crippled.According to the Group-IB report, Hunters International emerged around October 2023, when the gang said it had purchased the source code of the Hive ransomware gang and fixed its flaws. It was known for mainly attacking real estate, healthcare, and professional services sectors. For some reason, according to Group-IB, Hunters International prohibited attacks on Israel, Turkey, the entire Far East, and the Russia-linked Commonwealth of Independent States (CIS) countries. However, the report adds, data leaks from companies in these regions suggest that these rules weren’t strictly followed.