Hunters International Dumps Ransomware, Goes Full-on Extortion
Ransomware groups over the past few years have been running double-extortion campaigns, not only encrypting the data of targeted organizations but also exfiltrating it and threatening to publish it if the victims refuse to pay a ransom.
Since coming onto the scene in October 2023, Hunters International – a ransomware-as-a-service (RaaS) gang believed to have risen from the ashes of the notorious Hive gang – and its affiliates have been active users of the double-extortion tactic, racking up more than 200 victims, including the London branch of the Industrial and Commercial Bank of China, Anderson Gas and Oil, and Barber Specialties, a construction company in Texas.
More recently, Hunters appears to be behind the attack on Tata Technologies, stealing 1.4 TB of data and threatening to publish it unless the Indian multinational paid the ransom.
However, Hunters appears to be shifting its operations, dropping the encryption part of the equation and focusing purely on data exfiltration and extortion, according to researchers with threat intelligence firm Group-IB.
Piecing together information gathered from the group’s Tor-based leak site, the researchers wrote in a report that it appears that the RaaS gang is shutting down the Hunters operation and rebranding as an extortion-only group, an initiative that launched January 1 under the name “World Leaks.” The decision appears to come in the wake of international law enforcement operations over the past two years with names like Endgame, Morpheus, Cronos, and Magnus that disrupted the operations of cybercriminal groups.
Such an operation in early 2023 shut down Hive.
Ransomware Unprofitable, Risky
Other factors in Hunters’ evolution included efforts by the United States and other countries to deem ransomware groups terrorists and to ban ransom payments, all of which shook the underground ransomware economy, according to Group-IB.
“From the [Hunters] administrator’s perspective, ransomware is no longer profitable and risky,” the cybersecurity firm’s researchers wrote, noting the rebranding as World Leaks. “Instead of conducting double extortion, the operation will shift to extortion-only attacks. The criminals collaborating with the group will be provided with a purportedly self-developed exfiltration tool designed to automate the process of data exfiltration in the victims’ networks.”
Ransomware Attacks Up, Payments Down
The suspected move by Hunters comes as the ransomware landscape continues to evolve. A range of studies found that incidence of ransomware increased year-over-year in 2024. NCC Group found that the number of ransomware cases last grew 15%, to 5,263. For their part, Ontinue researchers said there was a 132% jump in ransomware attacks.
However, even as the number of cases rose, the amount paid in ransoms declined. Both Ontin and Chainalysis found that the amount paid in 2024 drop 35%. Chainalysis researchers said it dropped from a record $1.25 billion in 2023 to $813.55 million last year.
From Hive to Hunters
According to Group-IB and other security firms, Hunters was born after its creators bought and adapted the source code of Hive.
“Hunters International’s administrator is a very business-focused individual and this mindset is reflected in the affiliate panel used by the cybercriminals,” they wrote. “The operation has a well-defined workflow, from the creation of targets (potential victims) and disclosing stolen data to negotiating with the victim and processing ransom payments.”
Affiliates use the panel to register and communicate with the victims, download and customize the ransomware, and collect the ransom. If the victim pays, the affiliate gets 80% of the take.
They also get access to a Hunters-developed tool call Storage Software, which collects metadata from files exfiltrated from targets’ systems and then sends it to Hunters’ server, which gives both the victim and the attack’s author a view of the stolen files. The tool can also be used to delete files.
A Time of Change
As 2024 wore on, Hunters’ operations began to change. The latest version of the malicious software no longer includes ransom notes and no longer renames the encrypted files during the encryption process. Group-IB noted that Microsoft’s Threat Intelligence unit in January posted on X (formerly Twitter) that LockBit 4 – the latest iteration of the widely used ransomware – includes a “quiet mode” feature that preserves the extensions and modification times after encryption and also forgoes ransom notes.
It’s a trend in which some ransomware groups, rather than bringing public attention to an attack, work behind the scenes to reach a settlement with victims.
“From the administrator’s point of view, the more people who know about the attack, the less likely the victim company is to pay the criminals,” Group-IB researchers wrote. “While ransomware groups such as RansomHub may eventually report incidents to regulators, Hunters International and the others believe the most effective extortion approach is contacting CEOs and key employees, such as IT teams instead of dropping ransom notes everywhere.”
Hunters also works with a third party to collect OSNIT (open source intelligence) about company executives and other employees as well as their close relatives that can be used by the threat actors when extorting victims with phone calls, emails, and social media.
“While other groups such as Medusa, ALPHV and NoEscape offered similar services, we believe that it is a matter of time before this becomes the primary approach to victim extortion,” the researchers wrote.
According to the group, the new World Leaks exfiltration software it built is easy to use and completely undetectable. It was built in the Rust programming language and is compatible with x64, x86, and Arm architectures and with Windows, Linux, FreeBSD, and SunOS operating systems. The group shut down the operation soon after finding vulnerabilities in the software, but it now is back up, the researchers wrote.
