Hunters International shifts from ransomware to pure data extortion
The Hunters International Ransomware-as-a-Service (RaaS) operation is shutting down and rebranding with plans to switch to date theft and extortion-only attacks.
As threat intelligence firm Group-IB revealed this week, the cybercrime group remained active despite announcing on November 17, 2024, that it was shutting down due to declining profitability and increased government scrutiny.
Since then, Hunters International has launched a new extortion-only operation known as "World Leaks" on January 1, 2025.
"From the administrator's perspective, ransomware is no longer profitable and risky. The criminals collaborating with the group will be provided with a purportedly self-developed exfiltration tool designed to automate the process of data exfiltration in the victims' networks," Group-IB said on Wednesday.
"Unlike Hunters International, which combined encryption with extortion, World Leaks operates as an extortion-only group using a custom-built exfiltration tool."
The new tool seems to be an upgraded variant of the Storage Software exfiltration tool that Hunters International's ransomware affiliates also use.
Hunters International surfaced in late 2023 and was flagged as a possible rebrand of Hive because of code similarities. Its ransomware targets a wide range of platforms, including Windows, Linux, FreeBSD, SunOS, and ESXi (VMware servers), and it also supports x64, x86, and ARM architectures.
Since its emergence, this ransomware gang has claimed over 280 attacks against organizations worldwide, making it one of the most active ransomware operations.
Notable victims claimed by Hunters International include Tata Technologies, North American automobile dealership AutoCanada, U.S. Marshals Service, Japanese optics giant Hoya, U.S. Navy contractor Austal USA, and Oklahoma's largest not-for-profit health network, Integris Health.
Hunters International also breached the Fred Hutch Cancer Center in December, threatening to leak the stolen data of over 800,000 cancer patients if they weren't paid.
So far, Hunters International operators have targeted companies of all sizes. BleepingComputer has seen ransom demands ranging from hundreds of thousands to millions of dollars, depending on the breached organization's size.
Top 10 MITRE ATT&CK© Techniques Behind 93% of Attacks
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
CISA warns of Fast Flux DNS evasion used by cybercrime gangs
Max severity RCE flaw discovered in widely used Apache Parquet
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
CVE-2018-19410 Paessler PRTG Network Monitor Local File Inclusion Vulnerability
Free online web security scanner
