Article Details
Scrape Timestamp (UTC): 2025-04-03 21:08:30.725
Original Article Text
Click to Toggle View
Hunters International shifts from ransomware to pure data extortion. The Hunters International Ransomware-as-a-Service (RaaS) operation is shutting down and rebranding with plans to switch to date theft and extortion-only attacks. As threat intelligence firm Group-IB revealed this week, the cybercrime group remained active despite announcing on November 17, 2024, that it was shutting down due to declining profitability and increased government scrutiny. Since then, Hunters International has launched a new extortion-only operation known as "World Leaks" on January 1, 2025. "From the administrator's perspective, ransomware is no longer profitable and risky. The criminals collaborating with the group will be provided with a purportedly self-developed exfiltration tool designed to automate the process of data exfiltration in the victims' networks," Group-IB said on Wednesday. "Unlike Hunters International, which combined encryption with extortion, World Leaks operates as an extortion-only group using a custom-built exfiltration tool." The new tool seems to be an upgraded variant of the Storage Software exfiltration tool that Hunters International's ransomware affiliates also use. Hunters International surfaced in late 2023 and was flagged as a possible rebrand of Hive because of code similarities. Its ransomware targets a wide range of platforms, including Windows, Linux, FreeBSD, SunOS, and ESXi (VMware servers), and it also supports x64, x86, and ARM architectures. Since its emergence, this ransomware gang has claimed over 280 attacks against organizations worldwide, making it one of the most active ransomware operations. Notable victims claimed by Hunters International include Tata Technologies, North American automobile dealership AutoCanada, U.S. Marshals Service, Japanese optics giant Hoya, U.S. Navy contractor Austal USA, and Oklahoma's largest not-for-profit health network, Integris Health. Hunters International also breached the Fred Hutch Cancer Center in December, threatening to leak the stolen data of over 800,000 cancer patients if they weren't paid. So far, Hunters International operators have targeted companies of all sizes. BleepingComputer has seen ransom demands ranging from hundreds of thousands to millions of dollars, depending on the breached organization's size. Top 10 MITRE ATT&CK© Techniques Behind 93% of Attacks Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
Daily Brief Summary
Hunters International is transitioning from its Ransomware-as-a-Service model to focus solely on data theft and extortion.
Despite announcing a shutdown in November 2024, the group resumed activities under a new name, "World Leaks," starting January 1, 2025.
World Leaks will use a new, custom-built tool for data exfiltration, diverging from its previous approach that included data encryption and extortion.
This move reflects a strategy shift due to decreasing profitability and increased risk in ransomware operations amid heightened government scrutiny.
The group has been highly active since its emergence, claiming over 280 attacks against diverse organizations globally.
Notable victims include major entities such as Tata Technologies, U.S. Marshals Service, and Integris Health.
Group-IB highlights that the new operation will not encrypt data but will threaten to leak stolen information unless a ransom is paid.