The infamous ransomware group Hunters International announced the shutdown of their operation and the release of free decryptors of all victims.
The announcement was made roughly three months after threat intelligence firm Group-IB reported that the group was in the process of rebranding to World Leaks, with a focus on data extortion.
Hunters has been active since late 2023 when it emerged as a rebrand of the Hive ransomware gang. Operating as a ransomware-as-a-service (RaaS), the group hit over 300 victims, mostly in North America.
Over the course of its operation, the group targeted systems running different operating systems across multiple architectures, hitting organizations of all sizes, stealing their data for double extortion, and tailoring the ransom demands for each victim.
In April, Group-IB warned of a shift in the gang’s tactics that was observed last year, when it started directly contacting the victim’s leadership and employees for extortion, instead of listing the organization on its Tor-based leak site.
The cybersecurity firm said at the time that Hunters was moving away from file-encrypting ransomware operations to a project called World Leaks.
The gang has now removed all victim names from the leak site and posted a message announcing the shutdown of the operation.
“After careful consideration and in light of recent developments, we have decided to close the Hunters International project,” the announcement reads.
“As a gesture of goodwill and to assist those affected by our previous activities, we are offering free decryption software to all companies that have been impacted by our ransomware. Our goal is to ensure that you can recover your encrypted data without the burden of paying ransoms,” it continues.
According to Comparitech head of research Rebecca Moody, the release of free decryption keys may have no impact, as most of the RaaS’s victims would have already restored their systems, given that Hunters has not claimed a new attack since May.
“Ultimately, Hunters International hasn’t had a fit of conscience but has seen another (potentially more lucrative) revenue stream in data theft. Having rebranded as World Leaks, it is now extorting victims for data theft–something Hunters International was previously quite successful at,” Moody said in an emailed comment.
World Leaks emerged in January 2025 and already has 20 victims named on its Tor-based leak site, with the data allegedly stolen from 17 of them already made public. Last month, the gang added Swiss procurement service provider Chain IQ to the portal.
Unlike Hunters International, World Leaks does not use file-encrypting ransomware, but focuses on data theft, a trend that other hacking groups are likely to follow.
“I do think we’ll see a number of other gangs following suit, as hackers are becoming increasingly reliant on data theft in their attacks. Perhaps we will need to rethink our definition of ransomware in the future, but for now, attacks via the likes of World Leaks are cyberattacks not ransomware attacks,” Moody said.
According to KnowBe4 security awareness advocate Erich Kron, Hunters International’s release of free decryption keys could be the result of potential law enforcement actions, given the increased cooperation and coordination between authorities across the world in taking down ransomware groups.
The shift to data extraction and extortion “is less likely to draw the focused attention of law enforcement since they are not taking down the operations of the company or other entity,” and the impact on the victim organizations could be much lower, Kron commented.
“Many ransomware groups have toyed with data theft only, especially as organizations get better about quickly restoring from file encryption, so that part carries less weight,” Kron said.
Related: Sensitive Information Stolen in Sensata Ransomware Attack
Related: Ransomware Group Claims Attack on Tata Technologies
Related: FBI Aware of 900 Organizations Hit by Play Ransomware
Related: Ransomware Gang Leaks Alleged Kettering Health Data
