{"id":1153,"date":"2025-07-04T19:52:49","date_gmt":"2025-07-04T19:52:49","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2025\/07\/04\/ransomware-hunters-international-is-not-shutting-down-its-rebranding\/"},"modified":"2025-07-04T19:52:49","modified_gmt":"2025-07-04T19:52:49","slug":"ransomware-hunters-international-is-not-shutting-down-its-rebranding","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/07\/04\/ransomware-hunters-international-is-not-shutting-down-its-rebranding\/","title":{"rendered":"Ransomware: Hunters International Is Not Shutting Down, It’s Rebranding"},"content":{"rendered":"
\n

In an unusual turn of events, the ransomware group Hunters International has announced that it is shutting down its operations. Despite the supposed shutdown, those familiar with the group\u2019s activity told Infosecurity <\/em>it is likely that administrators are looking to rebrand and evolve their cybercrime tactics.<\/p>\n

A message published in English on the Hunters International data leak site on June 3 confirmed the closure of the Hunters International \u201cproject\u201d.<\/p>\n

The statement also said that \u201cas a gesture of goodwill\u201d the ransomware a ransomware-as-a-service (RaaS) syndicate would offer free decryption software to all companies that have been impacted by the group\u2019s ransomware.<\/p>\n

\u201cOur goal is to ensure that you can recover your encrypted data without the burden of paying ransoms,\u201d the statement read.<\/p>\n<\/p><\/div>\n

\n

Hunters International has been linked to Hive, another RaaS group that was dismantled in January 2023 as part of a global law enforcement operation.<\/p>\n

According to the ransomware-tracking website Ransomware.live, Hunters International has been active since October 2023 and has claimed 307 victims to date.<\/p>\n

These include a US plastic surgeon’s clinic with an office in Beverly Hills (October 2023), the London subsidiary of the Industrial and Commercial Bank of China (ICBC), a Chinese state-owned bank (September 2024),\u00a0AutoCanada (September 2024) and Tata Technologies (March 2025).<\/p>\n

The group\u2019s last known claimed victims were published on its data leak site on May 27, 2025.<\/p>\n

Despite the group\u2019s message, there is no decryption key available on the group\u2019s website at the time of writing.<\/p>\n

A\u00a0Prodaft threat analyst known as 3xp0rt, who first spotted the group’s takedown notice, told the\u00a0Risky Business\u00a0media outlet that the decryption keys are being made available via Hunters’ backend.<\/p>\n

“We have information that victims are required to log in to a portal mentioned in the ransom note using their existing credentials to obtain the decryption software,” 3xp0rt said.<\/p>\n

Hunters International Bid Farewell to Encryption <\/strong><\/h2>\n

Before the June 3 message, administrators of Hunters International expressed their willingness to cease encryption-based cyber extortion several times already.<\/p>\n

According to several reports by Group-IB, the group\u2019s operators released an internal note in Russian to their partners about the end of the project on November 17, 2024.<\/p>\n

\u201cIn a sort of \u2018farewell letter\u2019, the group\u2019s leadership claimed that the ransomware business has become risky and unprofitable due to actions taken by government bodies and the negative impact caused by ongoing geopolitics globally,\u201d researchers from Group-IB explained in a report published on April 2, 2025.<\/p>\n

As a result, the Hunters International operators released a new project on January 1, 2025, under the name World Leaks<\/em>.<\/p>\n

Instead of encrypting the data of their victims and conducting double extortion, the new group would shift to encryption-less, extortion-only attacks.<\/p>\n

According to Ransomware.live, World Leaks has been active since May 18, 2025 \u2013 just a few days before Hunters International\u2019s last victim claims \u2013 and has claimed 31 victims to date.<\/p>\n

Notably,\u00a0World Leaks is believed to have conducted a cyber extortion campaign against a third-party supplier of Swiss bank UBS in June 2025, which led to 130,000 UBS employees having their\u00a0data published on the dark web.<\/p>\n

However, a report by Group-IB, shared with Infosecurity<\/em>, suggested that the Hunters International story could be more complicated than a simple rebrand.<\/p>\n

The report, initially shared with the firm\u2019s customers as a TLP:Amber notification in January 2025, indicated that a Hunters International administrator published a note in the group\u2019s affiliate panel on January 18 to inform them that the \u201cproject\u201d would not be closed yet.<\/p>\n

After being translated from Russian to English, the note read, \u201cWe are pleased to inform you that the collective decision was to resume the work of the data encryption project.\u201d<\/p>\n

According to the Group-IB report, the operator claimed the decision was made after the new \u201cproject,\u201d World Leaks, contained \u201cmany bugs.\u201d<\/p>\n

\u2018Dissent Doe,\u2019 a pseudonymous cybersecurity blogger and author of the website DataBreaches.net, reported on July 3 that a World Leaks spokesperson told them that the group of people that started World Leaks had parted company with some Hunters International administrators over the use of encryption.<\/p>\n

\u201cWe were a part of them, but separated due to differences in views and ideas. The main difference is that we don\u2019t want to harm businesses by blocking their operability,\u201d the spokesperson reportedly said.<\/p>\n

\u201cData extortion is a much better business model because it doesn\u2019t render companies inoperable and boosts overall cybersecurity to protect private customers\u2019 data,\u201d they added.<\/p>\n

However, in its latest English-language message announcing the shutdown of its operations, Hunters International has not mentioned World Leaks or the fact that individuals previously associated with the RaaS group would continue to conduct cyber extortion campaigns.<\/p>\n

A Stealthy Rebrand to World Leaks<\/strong><\/h2>\n

Speaking to Infosecurity<\/em>, a Group-IB spokesperson said the firm\u2019s threat intelligence analysts assessed \u201cwith high confidence\u201d that World Leaks is a project operated by individuals previously involved in the administration of Hunters International.<\/p>\n

Although the group behind Hunters International has not publicly acknowledged any connection to World Leaks, the Group-IB spokesperson said their research indicated that internal communications suggested a coordinated transition to World Leaks.<\/p>\n

\u201cThe absence of any reference to World Leaks in [the July 3] message appears intentional and is likely designed to control the narrative and delay attribution,\u201d they added.<\/p>\n

The threat intelligence analysts acknowledged that the group of administrators previously running Hunters International may have split into two groups, one that shut down operations and the other that continued encryption-less extortion activity under the name World Leaks.<\/p>\n

However, they believe this scenario to be \u201ca secondary, lower-confidence theory.\u201d<\/p>\n

Instead, it is more likely that the administrators rebranded in a move to \u201cdistance World Leaks from the ransomware label.\u201d<\/p>\n

\u201cContinuing under the Hunters International name, which was strongly associated with double extortion, could confuse victims or lead to misattribution. Disassociating from a known entity allows the group to evade immediate scrutiny and reputational baggage. This tactic also helps them maintain the illusion of operational integrity while continuing illicit activities under a new guise. The timing and vagueness of their shutdown announcement reinforce this interpretation,\u201d Group-IB added.<\/p>\n

Finally, the Group-IB analysts assessed that, while they have not been able to verify their effectiveness, the apparent release of free decryption keys is far from a mere \u201cgesture of goodwill\u201d as the group claimed.<\/p>\n

Instead, the analysts believe the move to be another deliberate attempt to prevent public association between Hunters International and World Leaks and \u201ca reputational tactic.\u201d<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

In an unusual turn of events, the ransomware group Hunters International has announced that it is shutting down its operations. Despite the supposed shutdown, those familiar with the group\u2019s activity told Infosecurity it is likely that administrators are looking to rebrand and evolve their cybercrime tactics. A message published in English on the Hunters International<\/p>\n","protected":false},"author":2,"featured_media":1154,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1153","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1153-baf4e64b-c107-4bc7-ac9c-4ac513cb700c.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1153-baf4e64b-c107-4bc7-ac9c-4ac513cb700c-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1153-baf4e64b-c107-4bc7-ac9c-4ac513cb700c.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1153-baf4e64b-c107-4bc7-ac9c-4ac513cb700c.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1153-baf4e64b-c107-4bc7-ac9c-4ac513cb700c.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1153-baf4e64b-c107-4bc7-ac9c-4ac513cb700c.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1153-baf4e64b-c107-4bc7-ac9c-4ac513cb700c.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1153-baf4e64b-c107-4bc7-ac9c-4ac513cb700c.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1153-baf4e64b-c107-4bc7-ac9c-4ac513cb700c.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1153-baf4e64b-c107-4bc7-ac9c-4ac513cb700c.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1153-baf4e64b-c107-4bc7-ac9c-4ac513cb700c-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/1153","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=1153"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/1153\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/1154"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=1153"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=1153"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=1153"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}