The ransomware group Hunters International, which operated under the Ransomware-as-a-Service (RaaS) model, announced today that it is shutting down its operations and, surprisingly, will offer free decryption tools so victims can recover their files without having to pay.
"After much thought and considering everything that has happened lately, we have decided to bring the Hunters International project to an end," the group shared in a message posted on its dark web leak site. "It was not an easy decision, and we understand the impact this has had on the organizations we targeted."
In an unexpected twist, they added: "As a gesture of goodwill and to try to make amends for the damage caused, we are releasing free decryption software for all companies affected by our attacks. We want them to be able to recover their data without having to pay any ransom."
In addition to the shutdown announcement, the ransomware group Hunters International deleted all entries on its leak portal. Essentially, they have erased any trace of their past victims and operations. They also reported that companies whose systems were encrypted can still request decryption tools and receive assistance in recovering their data through their official website.
Although they did not specify what they meant by the “recent developments” that prompted this decision, their statement aligns with a previous announcement published on November 17, where they had already hinted at considering a shutdown due to increased pressure from authorities and the fact that the business was simply no longer as profitable as it once was.
On the other hand, cybersecurity firm Group-IB revealed in April that the group was preparing for a rebrand. They would abandon file encryption as their main strategy and shift their focus to data theft and direct extortion. In fact, they are believed to have already launched a new operation under a different name: World Leaks.
Shutdown Announcement from Hunters International (Source: BleepingComputer)
Unlike Hunters International, which combined file encryption with the typical extortion tactic, the new group World Leaks appears to have moved away from that formula. According to reports, World Leaks operates as a pure extortion gang, using a custom tool to steal data before threatening to make it public. This new tool is reportedly an upgraded version of the software that Hunters affiliates had already been using to exfiltrate information.
To put things into context: Hunters International emerged in late 2023, and from the outset, several researchers suspected it was a rebrand of the Hive group, as they shared many similarities in their malware code. Their software was designed to target all kinds of systems (from Windows, Linux, and FreeBSD to SunOS and VMware (ESXi) servers) and was compatible with x64, x86, and ARM architectures.
Over the past two years, the gang attacked companies of all sizes, demanding ransoms ranging from hundreds of thousands to several million dollars, depending on the victim. They claimed responsibility for over 300 attacks worldwide, making them one of the most active ransomware groups in recent times.
Among the most notable victims they themselves claimed were some major names: the U.S. Marshals Service, Japanese company Hoya, Tata Technologies, auto dealership AutoCanada, naval contractor Austal USA, and the healthcare organization Integris Health, the largest nonprofit health network in Oklahoma.
One of their most impactful attacks occurred in December 2024, when they hacked the Fred Hutch Cancer Center. In that case, they threatened to leak confidential medical data of over 800,000 cancer patients unless they were paid. It was a highly sensitive and ethically charged situation that generated significant controversy at the time.
Read more: How to detect and respond to a ransomware attack with TecnetProtect
The shutdown of Hunters International makes it clear that, while some ransomware groups may disappear, the threats are far from over. Even though this group has chosen to vanish, many others remain active and are becoming increasingly sophisticated. For businesses, this means that security cannot be an afterthought. Protecting information and ensuring operations continue smoothly must be a top priority.
Today, companies need comprehensive solutions for data protection, backup, and recovery—regardless of their size. Tools like TecnetProtect, a robust and reliable cybersecurity solution (powered by Acronis), enable businesses to prevent attacks, detect threats in real time, and quickly recover their information in the event of an incident. This not only minimizes economic impact but also ensures business continuity in critical scenarios.
If you’re running a business, don’t wait for something to happen before taking action. Protecting your data now is far easier than regretting it later. With TecnetProtect, you can rest assured that your company is in good hands.