Article Details

Hunters International ransomware shuts down after World Leaks rebrand. ​The Hunters International Ransomware-as-a-Service (RaaS) operation announced today that it has officially closed down its operations and will offer free decryptors to help victims recover their data without paying a ransom. "After careful consideration and in light of recent developments, we have decided to close the Hunters International project. This decision was not made lightly, and we recognize the impact it has on the organizations we have interacted with, the cybercrime gang says in a statement published on its dark web leak earlier today. "As a gesture of goodwill and to assist those affected by our previous activities, we are offering free decryption software to all companies that have been impacted by our ransomware. Our goal is to ensure that you can recover your encrypted data without the burden of paying ransoms." The threat actors added that companies whose systems were encrypted in Hunters International ransomware attacks can request decryption tools and recovery guidance on the gang's official website. While the ransomware group doesn't explain what "recent developments" it refers to, today's announcement follows a November 17 statement saying that Hunters International will soon shut down because of increased law enforcement scrutiny and declining profitability. Threat intelligence firm Group-IB also revealed in April that Hunters International was rebranding with plans to focus on data theft and extortion-only attacks, and had launched a new extortion-only operation known as "World Leaks." ​"Unlike Hunters International, which combined encryption with extortion, World Leaks operates as an extortion-only group using a custom-built exfiltration tool," Group-IB said at the time, adding that the new tool appears to be an upgraded version of the Storage Software exfiltration tool used by Hunters International's ransomware affiliates. ​Hunters International emerged in late 2023 and was flagged by security researchers and ransomware experts as a potential rebrand of Hive due to code similarities. The ransomware group's malware targets a wide range of platforms, including Windows, Linux, FreeBSD, SunOS, and ESXi (VMware servers), and it also comes with support for x64, x86, and ARM architectures. Over the last two years, Hunters International has targeted companies of all sizes, with ransom demands ranging from hundreds of thousands to millions of dollars, depending on the size of the breached organization. The ransomware gang has claimed responsibility for almost 300 attacks worldwide, making it one of the most active ransomware operations in recent years. Notable victims claimed by Hunters International include the U.S. Marshals Service, Japanese optics giant Hoya, Tata Technologies, North American automobile dealership AutoCanada, U.S. Navy contractor Austal USA, and Integris Health, Oklahoma's largest not-for-profit healthcare network. In December 2024, Hunters International also hacked the Fred Hutch Cancer Center, threatening to leak the stolen data of over 800,000 cancer patients if they were not paid. 8 Common Threats in 2025 While cloud attacks may be growing more sophisticated, attackers still succeed with surprisingly simple techniques. Drawing from Wiz's detections across thousands of organizations, this report reveals 8 key techniques used by cloud-fluent threat actors.