Why Did Hunters International Shift to Data Theft and Extortion?

Article Highlights
Off On

Hunters International, once a prominent Ransomware-as-a-Service (RaaS) outfit, has made a significant shift in its operational tactics.While the group announced in November 2024 that it would cease operations due to declining profitability and increased government scrutiny, they re-emerged with a new strategy on January 1, 2025. Rebranding themselves as “World Leaks,” they have abandoned their earlier model of ransomware attacks.Instead, they now focus exclusively on data theft and extortion, using bespoke tools to exfiltrate sensitive information from targeted networks. This shift marks a notable evolution in their approach to cybercrime.

Motivations Behind the Shift

Group-IB, a well-regarded threat intelligence firm, has provided insight into the rationale behind this shift. According to their analysis, Hunters International perceived the ransomware landscape as becoming increasingly risky and less lucrative.High-profile law enforcement actions and coordinated international efforts have put ransomware operators under intense scrutiny, making it a perilous avenue for cybercriminals. The adoption of a data theft and extortion model offers a comparatively lower risk profile while still allowing the group to leverage stolen information for sizable financial gains.The new strategy centers on an advanced exfiltration tool, an enhancement of their previously used Storage Software tool. This custom-built application enables more efficient and stealthy extraction of data from victims’ systems.By focusing solely on data theft, World Leaks can pressure victims to pay ransoms without engaging in the more complex process of decrypting and restoring locked systems. This streamlined approach allows them to operate with greater agility and reduced operational overhead.

Operational History and High-Profile Targets

Hunters International initially gained significant attention in late 2023, drawing the suspicion of cybersecurity experts who noted similarities between their code and that of the infamous Hive ransomware.Their sophisticated ransomware was capable of targeting a diverse array of platforms, including Windows, Linux, FreeBSD, SunOS, and ESXi, and supported multiple architectures such as x64, x86, and ARM. During their original stint, the group claimed responsibility for over 280 attacks on organizations worldwide, inflicting considerable damage and financial loss.Among their most notable victims were prominent entities such as Tata Technologies, AutoCanada, the U.S. Marshals Service, Hoya, Austal USA, and Integris Health. In a particularly egregious case, Hunters International threatened to leak confidential data from the Fred Hutch Cancer Center unless their ransom demands were met. This data included sensitive information on over 800,000 cancer patients, showcasing the group’s willingness to exploit vulnerable targets for profit.Their ransom demands were substantial, ranging from hundreds of thousands to millions of dollars, depending on the size and financial capacity of the targeted organization.

Implications and Broader Trends

Hunters International, previously renowned for their Ransomware-as-a-Service (RaaS) operations, has notably shifted its tactics. The group announced the cessation of operations in November 2024, citing reduced profitability and heightened government scrutiny as reasons. However, this shutdown was short-lived. On January 1, 2025, they re-emerged under the new name “World Leaks,” marking a significant change in their criminal approach.Abandoning their ransomware strategy, they now focus solely on data theft and extortion. They employ specially designed tools to infiltrate selected networks and extract sensitive data. This strategic transformation showcases their adaptation to changes in the cybercrime landscape.As the authorities continue to clamp down on ransomware operations, “World Leaks” seems to be redirecting its efforts to evade law enforcement and maintain its profitability. This move underscores the fluid nature of cyber threats, highlighting the constant evolution of cybercriminal tactics.

Explore more