One of the most prolific ransomware-as-a-service (RaaS) groups of the past couple of years has renounced the ransomware label and says it will focus solely on data exfiltration and extortion going forward.
Hunters International officially went dark on Nov. 17, 2024, following months of decline, poor results, and then-looming US sanctions against Russia. Since then, according to researchers at Group-IB, Hunters has shed the ransomware banner entirely, rebranded as “World Leaks,” developed a new exfiltration tool, and started back up all over again.
Hunters never had all that good of a reputation — and, notably, it has offered no evidence of its transformation to a new identity. So it’s possible that World Leaks could just be a copy-paste, made-up name, a Hail Mary attempt to revive a failing ransomware operation. On the other hand, a shift away from encryption and towards exfiltration only would be consistent with broader trends in the ransomware landscape.
Hunters International’s Decline
Launched in late 2023, Hunters International was built largely on infrastructure borrowed from the recently disbanded Hive. It quickly generated hundreds of victims in healthcare, financial services, and beyond, but, according to Group-IB, business was already declining significantly by the middle of 2024.
In its shutdown announcement last November, the Hunters admin complained about it all: “Many aspects of our work were losing their relevance. First of all, the programs for mass PR, their methods, and their very concept. Even successful attacks have not been bringing the expected profits lately, and the percentage of companies that were willing to pay for their data has dropped significantly. [The administration] has lost its former zeal, which has manifested itself in everything. Faced with such a sharp, unfavorable turn, [the administration] chose to go into the shadows. Yes, to retreat.”
Much of this, of course, can be attributed to the fact that ransomware gangs just don’t make as much profit anymore. To wit, despite all of the damage they’ve caused, the biggest groups are earning far less in ransom payments than they used to, with ransom payment rates now at an all-time low.
But in January, the group was already teasing a relaunch. A message to affiliates read: “We are starting a new project, without [ransomware encryption]. This will be a data theft project with all the working methods and tools. Details will be shared via PM.”
World Leaks Begins
In the Group-IB blog, senior threat intelligence analyst Yeva Hrytsai and threat intelligence researcher Andrey Kolmakov explained how World Leaks is a change of name only, while the MO remains the same.
“Contrary to what one might expect after a supposed ‘shutdown,’ the group’s Tor website remains online and fully operational,” they wrote. “The contact, onion addresses, and encryption keys remain unchanged.” Hunters’ affiliation criteria also remain unchanged, and the same administration remains behind the wheel. The only thing that has really changed is that the victim data on the leak site has been wiped.
Even so, there’s an argument to be made for this new direction.
Ransom payments and payment rates may be declining for groups all across the industry, but today’s major successes come largely from exfiltration-based extortion. It’s how RansomHub has so quickly achieved No. 1 status among RaaS groups, Cl0p has survived multiple setbacks, and BianLian earned its position as a top-five ransomware gang.
“Victims increasingly refuse to pay when only encryption has been performed — especially if their backups were not compromised — often seeing it as a nuisance rather than a crisis, since they know their data can be restored,” Hrytsai and Kolmakov explained. “On the other hand, when an attacker holds stolen data, specifically highly sensitive information such as financial records, legal documents, intellectual property, or personal identifiable information (PII), the potential damage from public exposure or sale on the Dark Web creates a more immediate, tangible threat.”
To help its affiliates better exfiltrate, Hunters has developed a new tool written in the Go language. And while it remains to be seen whether World Leaks will be any more successful than Hunters International was, organizations will need to prepare for a dual threat: not just sophisticated ransomware attacks, but also stealthy exfiltration campaigns where the focus shifts from system disruption to holding data hostage.
“For defenders, this means investing not just in backup and recovery capabilities, but in comprehensive data protection strategies, including endpoint detection and response (EDR), network behavior anomaly detection, and robust data loss prevention (DLP) tools,” they concluded.
