Ransomware Crew Hunters International Shuts Down, Hands Out Keys To Victims

Ransomware gang Hunters International has shut up shop and offered decryption keys to all victims as a parting favor.

Announcing the news on Thursday morning, the gang deleted all victim data from its dark web leak site and issued a statement confirming its closure.

“We, at Hunters International, wish to inform you of a significant decision regarding our operations,” it said. 

“After careful consideration and in light of recent developments, we have decided to close the Hunters International project. This decision was not made lightly, and we recognize the impact it has on the organizations we have interacted with.”

The statement did not go into detail about the reasons for the decision, or what the “recent developments” were, but it does not come as a surprise given its previous communications about ransomware becoming more trouble than it’s worth.

Back in April, the group’s leadership said ransomware had become “unpromising, low-converting, and extremely risky,” adding that it was considering a change of direction.

“There are changes happening in the world right now, one of them is the recognition of ransomware as terrorism, and countries that contribute or do nothing to [combat] it [are designated] as countries that support terrorists,” it said that month.

“This status is unacceptable for most countries, as it has a negative impact on the external banking system. This means that the fight against ransomware is moving from the virtual to the real plane, and this time our own states are against us. The chances of survival, in such a situation, tend to be zero.”

Hunters said today that “as a gesture of goodwill,” it would release decryptors to all victims, although this doesn’t seem like it will be publicly available – more of an “ask and you shall receive” type of deal.

“We understand the challenges that ransomware attacks pose, and we hope that this initiative will help you regain access to your critical information swiftly and efficiently,” the statement added. “To access the decryption tools and receive guidance on the recovery process, please visit our official website.

“We appreciate your understanding and cooperation during this transition. Our commitment to supporting affected organizations remains our priority as we conclude our operations.”

Departing cybercrime groups rarely offer free decryption keys, but it is not entirely unheard of either.

Avaddon did the same thing when it shut down in 2021 – the crew has since rebranded to NoEscape, according to researchers

What next?

Don’t let the professionally worded goodbye from Hunters International deceive you. Without confirming anything, it seems highly likely that the same crooks behind the operation continue to profit from others’ pain.

After the April admission that it would be abandoning ransomware, researchers at Group-IB predicted that the same team behind Hunters would simply rebrand as World Leaks.

World Leaks is very much alive and kicking, and operates using the extortion-only model, whereby attackers steal a company’s data and holds it to ransom without deploying any kind of file encryption.

The group’s dark web page is constructed in almost the exact same style as Hunters’ and currently lists 31 victims.

A World Leaks statement posted in May invited journalists to sign up for its early warning mailing list to receive information about attacks 24 hours before they are made public.

“This exclusive access will empower journalists to prepare in-depth analyses and stories that resonate with their audiences, ensuring they stay ahead of the curve in today’s fast-paced news environment,” it said.

Hunters International will be remembered for high-profile attacks on organizations such as Tata Technologies and ICBC’s London office.

One of its more egregious acts came shortly after it formed in 2023, attacking a US plastic surgery clinic and leaking patients’ pre-op body images. ®

Original Source