The notorious Hunters International ransomware operation has announced it is officially shutting down and will provide free decryption tools to all of its victims. The group, which has carried out nearly 300 ransomware attacks worldwide, published the news on its dark web leak site, stating that the project has come to an end due to undisclosed “recent developments.”
“After careful consideration and in light of recent developments, we have decided to close the Hunters International project,” the gang wrote.
“As a gesture of goodwill and to assist those affected by our previous activities, we are offering free decryption software… to ensure that you can recover your encrypted data without the burden of paying ransoms.”
All extortion-related entries were removed from the group’s portal. Victims affected by Hunters International ransomware can now request decryptors and recovery assistance through the gang’s site.
Pressure from Law Enforcement and Profit Decline Prompted Shutdown
Although the group did not specify what “recent developments” led to its closure, a prior statement from November 2024 hinted at two key reasons:
- Increased law enforcement attention
- Decreasing profitability of ransomware operations
Earlier this year, Group-IB reported that Hunters International had already begun transitioning to a new extortion-only operation called World Leaks. Unlike its predecessor, World Leaks skips encryption entirely and focuses on data theft, using a refined version of the same exfiltration tool previously used by Hunters affiliates.
“Unlike Hunters International, which combined encryption with extortion, World Leaks operates as an extortion-only group,” Group-IB noted in April.
“It uses a custom-built exfiltration tool—an evolution of Storage Software—to steal data and pressure victims.”
From Hive to Hunters: A Rebrand with Global Reach
Hunters International appeared in late 2023 and quickly gained attention due to code overlaps with Hive ransomware, a group dismantled by international law enforcement earlier that year. Security researchers suspected the group may be a rebrand of Hive, inheriting much of its infrastructure and methods.
Hunters International malware supported a wide range of platforms, including Windows, Linux, ESXi (VMware), FreeBSD, and SunOS, with compatibility across x86, x64, and ARM architectures. Its targets ranged from small businesses to global enterprises, and ransom demands varied from hundreds of thousands to millions of dollars.
Some of its notable victims include:
- U.S. Marshals Service
- Hoya (Japan)
- Tata Technologies
- AutoCanada
- Austal USA (U.S. Navy contractor)
- Integris Health, Oklahoma’s largest nonprofit health provider
Despite the free decryptors being offered, the long-term security risk for affected organizations remains. In many cases, sensitive data may have already been exfiltrated, leaked, or sold on dark web forums.
Securing Business Continuity After Ransomware Exposure
For enterprise organizations, navigating a ransomware breach—even after decryptors become available—requires immediate threat containment, forensic analysis, and reliable backup and recovery systems. If encrypted systems can’t be trusted due to data corruption or hidden persistence mechanisms, clean restoration from immutable backups becomes critical.
Looking for a trusted recovery solution?
Defend your organization with StoneFly DR365—an air-gapped, immutable backup and recovery appliance trusted by enterprises to ensure zero data loss even in the event of complex cyberattacks.
