The short-lived ransomware operation known as SatanLock has officially shut down. In a sudden announcement made via its Telegram channel and dark web leak site, the group declared its exit from the cybercrime scene and warned that all data previously stolen from victims would now be leaked publicly.
A Short-Lived But Noisy Operation Comes to an End
SatanLock emerged in April 2025 and quickly built a reputation through aggressive extortion tactics. In just a few months, the group claimed dozens of victims, listing 67 organizations on its now-defunct leak site.
However, researchers from Check Point noted that over 65% of these victims had already been listed by other ransomware groups—suggesting duplicate postings, shared access, or even hijacked infections.
“Such behavior highlights the increasingly competitive and chaotic nature of the ransomware ecosystem, where victim double-posting is becoming a common tactic among opportunistic actors,” Check Point explained in its April 2025 Malware Spotlight report.
This overlap has become a growing trend in ransomware circles, where criminal groups often race to claim credit for the same breach.
Linked to Other Threat Groups and Toolsets
According to LockBit Decryptor, a cybersecurity company focused on decrypting ransomware infections, SatanLock is believed to have ties with established ransomware families such as Babuk-Bjorka and GD Lockersec. These affiliations suggest that SatanLock may have operated under a larger cybercrime umbrella or relied on recycled tooling and access from other threat actors.
Shutdown Announcement and Impending Data Leak
The announcement of SatanLock’s closure was posted both on its private Telegram channel and dark web leak site. In a brief farewell message, the group stated:
“SatanLock project will be shut down. The files will all be leaked today.”
The reason behind the sudden decision remains unclear. There is no indication of a law enforcement takedown or internal dispute at this time.
Another Shutdown in the Ransomware Ecosystem
SatanLock’s exit comes just days after another group, Hunters International, declared its own shutdown. Unlike SatanLock, Hunters International offered free decryption keys to victims upon exiting.
“After careful consideration and in light of recent developments, we have decided to close the Hunters International project,” the group said in a public message. “This decision was not made lightly, and we recognize the impact it has on the organizations we have interacted with.”
Both shutdowns hint at shifting dynamics within the ransomware underworld, where competition, law enforcement pressure, and internal politics are forcing smaller or opportunistic groups to fold.
