Hunters International ransomware group claims to be shutting down

The Hunters International ransomware group claimed on Thursday it would be shutting down and providing free decryption software to previous victims, although it is unclear how many of the cybercriminals' targets were actual victims of encryption attacks.

“After careful consideration and in light of recent developments, we have decided to close the Hunters International project,” the gang wrote in a statement on its darknet extortion site.

It did not attempt to explain what these “recent developments” were but added: “This decision was not made lightly, and we recognize the impact it has on the organizations we have interacted with.”

It is unclear whether many Hunters International victims will find the decryption software useful. Recorded Future News understands that incident responders generally regard it as poorly designed. The group said it wanted to ensure its ransomware victims were able to recover their encrypted data without the burden of paying an extortion fee.

“We understand the challenges that ransomware attacks pose, and we hope that this initiative will help you regain access to your critical information swiftly and efficiently,” added the statement.

After just under two years in operation — which saw the gang try to extort at least hundreds of victims, including a prominent cancer center based in Seattle and the  U.S. Marshals Service — the move may not be quite the Damascene conversion the cybercriminals are dressing it up as.

Hunters International first announced it was going to close due to scrutiny last November, although it failed to do so. Earlier this year cybersecurity company Group-IB published research revealing that the administrators of the gang were planning to relaunch as an extortion-only service called World Leaks.

WorldLeaks is currently in operation with a site sharing the same design as Hunters International. It is attempting to build a name for itself with a homepage featuring the mastheads of several international newspapers, and is offering journalists to sign up to receive “early access to insights and disclosures” for victims it is attempting to extort.

Group-IB assessed that some of the World Leaks and Hunters administrators may previously have been involved in the Hive operation, which was infiltrated and shut down by law enforcement in 2023, based on similarities seen in code used by both Hive and Hunters.

Hunters itself claimed to have purchased Hive’s source code. However the claim of purchasing the source code may have been an attempt by the Hive operators to avoid being tied to their new ransomware group. Group-IB’s threat intelligence team observed other users on underground forums often referring to Hunters International as хайв, or Hive in Russian.

“Additionally, cybercriminals involved with ransomware claimed that they were contacted by the Hunters International’s administrator using the same instant messaging account associated with Hive,” stated Group-IB: “Therefore, based on the information presented so far, we assess with moderate confidence that Hunters International is possibly a rebrand of Hive.”