Hunters International Ransomware Group Rebrands and Returns With a New Playbook
As reported by Bleeping Computer, the cybercrime group Hunters International has officially shut down its ransomware operation and rebranded under a new name, World Leaks, shifting its focus to data theft and extortion-only attacks.
According to new findings from threat intelligence firm Group-IB, the group’s supposed shutdown in November 2024 was short-lived and misleading. On January 1, 2025, Hunters International quietly relaunched operations under the World Leaks brand, dropping encryption entirely in favor of a leaner, more focused playbook focused on stealing the data, then threatening to leak it.
To power this new model, World Leaks is arming its affiliates with a custom-built exfiltration tool designed to automate the data theft process across victim networks. The tool appears to be an improved version of the Storage Software utility previously used in conjunction with Hunters’ ransomware payloads, but now it’s the centerpiece of the attack.
With encryption out of the equation, the operation now functions solely as extortion-as-a-service, relying on stolen information as leverage to extract payouts from victims desperate to avoid public exposure. Furthermore, a login page for the group’s new affiliate panel, shared by Group-IB, confirms that the operation is already recruiting collaborators.
Hunters International Group Biography
Hunters International first appeared in late 2023 and was quickly flagged by researchers as a likely rebrand of the dismantled Hive ransomware group, due to overlapping code and infrastructure patterns. While the group never officially confirmed this connection, the technical and tactical similarities were hard to ignore.
From the start, Hunters clearly had a broad technical reach, developing ransomware capable of infecting a wide range of operating systems, including Windows, Linux, FreeBSD, SunOS, and VMware ESXi environments. Their malware was cross-platform, supporting x64, x86, and ARM architectures, making it a flexible threat for organizations across industries and regions.
In less than a year, the group became one of the most active ransomware operations globally, claiming responsibility for over 280 attacks. Some of their victims included;
Tata Technologies (engineering and product development)
AutoCanada (a major North American car dealership network)
U.S. Marshals Service (federal law enforcement)
Hoya Corporation (a Japanese optics manufacturer)
Austal USA (a shipbuilder and U.S. Navy contractor)
Integris Health (Oklahoma’s largest not-for-profit health network)
One of the group’s most alarming attacks was conducted in December 2024, when they breached the Fred Hutch Cancer Center and threatened to release the sensitive data of more than 800,000 cancer patients unless their demands were met.
Hunters International’s ransom demands varied significantly, typically starting in the hundreds of thousands but often escalating to multi-million-dollar figures, depending on the size, sector, and perceived vulnerability of the targeted organization.
Shift Your Cybersecurity Strategy Accordingly
The move to abandon encryption reflects a wider strategic change from ransomware groups. Threat actors seem to be shifting towards lower-risk, high-reward tactics like pure data extortion, which is faster, stealthier, and harder to trace.
To address this organizations must shift their strategy accordingly, and can’t just rely on backups and decryption keys alone, they must prioritize strategies that help prevent, detect, and respond in real-time to these types of attacks. Staying ahead of this shift means rethinking your defense strategy, making sure that you’re continuously identifying and remediating vulnerabilities, improving your processes, and strengthening your defenses.
