Hunters International Ransomware Group Shuts Down, Releases Free Decryptors

Red Dog Security

3 min read
Hunters International Ransomware Group Shuts Down, Releases Free Decryptors

In a surprising move, the Ransomware-as-a-Service (RaaS) group Hunters International has announced that it is shutting down operations and releasing free decryption tools to help victims recover encrypted data—without paying a ransom.

Key Announcements from Hunters International

The group posted an official statement on its dark web leak site, citing undisclosed reasons for the shutdown:

“After careful consideration—and in light of recent events—we have decided to shut down the Hunters International project. This was not an easy decision, and we recognize the impact it will have on organizations we’ve engaged with. As a goodwill gesture, we are providing free decryption software to all victims of our ransomware. Our goal is to ensure you can restore encrypted data without paying a ransom.”

Additional Details:

  • Victim data deleted: All previously listed victim data has been removed from their leak site.
  • Decryption support available: Victims can now request decryptors and recovery guides via dark web communication channels.

Why the Sudden Shutdown?

While Hunters International did not specify what "recent events" triggered the decision, several factors suggest growing pressure behind the scenes.

Law Enforcement Scrutiny

Back in November 2024, the group hinted at potential closure due to increased law enforcement activity and a decline in ransomware profits. This aligns with broader global crackdowns on cybercrime infrastructure throughout 2024–2025.

Rebranding as World Leaks?

According to threat intelligence firm Group-IB, core members of Hunters International were likely preparing a pivot to a data-extortion-only operation under the name World Leaks.

  • Launch date: January 1, 2025
  • Tactics: Steal sensitive data → extort victims → sell stolen information to third parties
  • No encryption: The group is abandoning ransomware in favor of pure extortion, which often attracts less law enforcement attention.

Hunters International: A Brief History

  • Launched: Late 2023
  • Suspected origin: Believed to be a rebrand of the notorious Hive ransomware group, based on code similarities
  • Targets: Broad infrastructure range—including Windows, Linux, FreeBSD, SunOS, and VMware ESXi
  • Architectures attacked: x64, x86, ARM
  • Activity volume: Over 300 confirmed attacks globally, making it one of the most active ransomware groups in recent years

What Happens Now?

For Victims:

  • Free decryptors are available—users can contact the group through its dark web site
  • No ransom payment is required to restore encrypted files
  • However, stolen data may still be circulating, even if the ransomware is no longer active

⚠ For Security Teams:

  • Monitor for World Leaks activity, especially in extortion-only campaigns
  • Audit previous Hunters-related breaches—even if encrypted files are recovered, data theft may persist as a risk
  • Prepare for copycat operations leveraging similar infrastructure and tactics

Final Thoughts

The disbanding of Hunters International follows a familiar ransomware pattern: criminal groups shut down under pressure, only to reappear under new names. (See: Hive → Hunters → World Leaks.) Whether this move is a genuine exit, a strategic pivot, or the result of law enforcement infiltration, the timing and execution suggest more than meets the eye.

While the release of free decryption tools is rare, it’s not unprecedented. In some cases, this has signaled:

  • A takedown disguised as a shutdown
  • An exit scam to preserve reputation before shifting tactics
  • Or simply a profit-driven rebrand, aiming to lower visibility while continuing operations

Recommendations

  • Use the decryptors cautiously—verify authenticity before running them on live systems
  • Do not assume full recovery equals safety—stolen data may still be sold or leaked
  • Prepare for future attacks focused on data theft and extortion, not just encryption

Is this the end of Hunters—or the beginning of something more covert?
The rise of World Leaks and the quiet pivot away from encryption could mark a new chapter in cyber-extortion tactics.
Share your thoughts: Is this a law enforcement victory—or just smart cybercrime strategy?

Ask ChatGPT

Read more