Hunters International, a prominent Ransomware-as-a-Service (RaaS) operation, has ceased its ransomware activities and rebranded as World Leaks, focusing solely on data extortion.
This shift, revealed by Group-IB, comes despite the group’s November 17, 2024 announcement of closure due to declining profitability and increased law enforcement scrutiny. The rebranding to World Leaks officially launched January 1, 2025.
“From the administrator’s perspective, ransomware is no longer profitable and risky.” Group-IB highlights the rationale behind this change.
The cybercriminals involved now utilize a purportedly self-developed data exfiltration tool to automate the process. Unlike Hunters International’s previous ransomware-and-extortion model, World Leaks operates exclusively on data extortion.
The new tool appears to be an enhanced version of the Storage Software exfiltration tool previously used by Hunters International affiliates. A screenshot of the World Leaks affiliate panel was provided by Group-IB.
Login page for World Leaks affiliates panel (Group-IB)
Hunters International, active since late 2023, was suspected to be a Hive rebranding due to code similarities. Its ransomware targeted various platforms, including Windows, Linux, FreeBSD, SunOS, and ESXi (VMware servers), supporting x64, x86, and ARM architectures. The group claimed over 280 attacks globally, impacting organizations of all sizes.
Notable victims include Tata Technologies, AutoCanada, the U.S. Marshals Service, Hoya, Austal USA, and Integris Health. In December, Hunters International breached Fred Hutch Cancer Center, threatening to release the data of over 800,000 cancer patients unless paid. Ransom demands varied from hundreds of thousands to millions of dollars, depending on the victim’s size.
