The beginning of the end: the story of Hunters International

Introduction

At the end of 2023 and throughout 2024, the Ransomware-as-as-Service (RaaS) ecosystem was negatively impacted by several seismic events affecting the cybercrime supply chain. This included the  arrests of criminals and law enforcement operations such as the Operations  Endgame, Morpheus and  Magnus conducted against botnet and stealer infrastructure, resources commonly used by ransomware groups’ affiliates to gain initial access to organizations’ networks, as well as to perform malicious actions during the post exploitation.

Additionally, government bodies including the US Congress and the Parliament of Australia released  cybersecurity bills in order to discuss, among other things, the “Sense of Congress on hostile foreign cyber actors”, which considers designating ransomware groups as  terrorists; as well as “Mandatory Reporting for Ransomware and Cyber Extortion Payments”, respectively.

These—and  other actions including the ban of  ransom payments—significantly impacted the underground economy of RaaS operations, forcing affiliates and operators to find new strategies to attack and extort their victims. Despite this, we still observed a 44% increase over 2023 in terms of the number of offers looking for affiliates, and approximately 5,066 disclosures published on Data Leak Sites (DLS) in 2024, a 10% increase over 2023, as detailed in our High-Tech Crime Trends Report 2025. However, according to a  report by Chainalysis there was a “35% Year-over-Year decrease in ransomware payments”, against a slight increase of 41% in 2024 Q4 of companies which paid ransoms victimized by exfiltration-only attacks, according to the Coveware’s report.

Key Discoveries in this Blog

• The Hunters International operation was possibly launched in October 2023.
• Former Hive’s operators may have been involved in the Hunters International’s administration.
• Operators are planning to close the project and rebrand as World Leaks – an extortion-only operation.
• The group provides its partners with an open source intelligence (OSINT) service with the purpose of extorting victims via telephone calls, emails and social media and other means.
• The ransomware works on x64, x86, and ARM architectures as well as in Windows, FreeBSD, SunOS and Linux-based operating systems including ESXi.
• From the v6 version, the ransomware does not rename encrypted files nor drops ransom notes.
• Hunters International provides a tool named Storage Software, which collects metadata of exfiltrated files and sends it to the group’s server.
• The tool creates a bridge between the host with the victim’s data controlled by the author of the attack, and Hunters International’s panels.
• The victim is able to download and delete the files stored by the criminal from the group’s victim panel.
• The Storage Software establishes network connection via SOCKSv5 proxy, and works on both Windows and Linux.
• Group-IB’s Threat Intelligence analysis discovered that Hunters International, Lynx and INC Ransom have similarities in the infrastructure, but there is no evidence that could suggest these ransomware brands belong to the same operation.

Who may find this blog interesting:

• Cybersecurity analysts and corporate security teams
• Malware analysts
• Threat intelligence specialists
• Cyber investigators
• Computer Emergency Response Teams (CERT)
• Law enforcement investigators
• Cyber police forces

Establishment

The beginning of the Hunters International’s story starts – at least publicly – after the first disclosure of an English company on the group’s data leak site (DLS) on October 13, 2023. Seven days later, on October 20, 2023, cybersecurity researchers shared on X information on what seemed to be the first version of Hunters International’s ransomware for Windows; submitted on VirusTotal from a German IP address on October 19, 2023. Besides, on October 21, 2023, the group’s administrator published in the affiliate panel the first note with rules about their operation. Therefore, we believe that Hunters International probably officially started operating in October, 2023.

Figure 1. Hunters International’s data leak site

Figure 2. The first post in the affiliate panel in Russian (above) and translation in English (bottom).

Who are the Hunters

According to cybersecurity researchers who first analyzed the sample submitted on VirusTotal, Hunters International’s ransomware shares similarities with the Hive ransomware, a criminal group disrupted by a law enforcement operation in early 2023. Based on this, researchers surmised that Hunters International could probably be a rebrand of Hive. However, the group’s administrator released a statement in the DLS, claiming they had actually bought Hive’s source code, including the web application and ransomware.

Figure 3. Hunters International’s statement on being a rebrand of Hive.

Although Hunters International’s operators did not confirm the rebranding, Group-IB’s threat intelligence team observed throughout their research that users on underground forums as well as affiliates and operators from different ransomware groups often refer to Hunters International as хайв (Hive in Russian). Additionally, cybercriminals involved with ransomware claimed that they were contacted by the Hunters International’s administrator using the same instant messaging account associated with Hive. Therefore, based on the information presented so far, we assess with moderate confidence that Hunters International is possibly a rebrand of Hive.

The Hunters’ Objective

As can be seen in the screenshot (Figure 3) above, the group’s operators claimed that “encryption is not the primary goal” of Hunters International. Taking this into account, and based on affiliate panel features and resources provided to its members, we believe that Hunters International’s main objective is data exfiltration.

Victimology

According to a statement made by operators of the group on 2 February, 2024, attacking Israel, Turkey, the entire Far East,  and nations within the Commonwealth of Independent States (CIS) is prohibited. Despite that, threat actors have disclosed on the group’s DLS companies from China, Turkey, Singapore, Japan, and other countries from the Far East region.

Figure 4. A statement from Hunters International on the prohibited countries and regions in Russian (above) and translated into English (below).

Similar to Black Suit, Qilin, RansomHub, and other ransomware groups, Hunters International has also attacked the healthcare industry, following a trend in 2024 that saw a significant increase in intrusions against healthcare companies and institutions. As law enforcement operations such as Operation Cronos and Endgame, as well as actions taken by the government bodies, have affected the ransomware ecosystem, ransomware affiliates—encouraged by group administrators—shifted their focus in 2024 toward healthcare and critical infrastructure. From the criminals’ perspective, organizations providing critical services to society are more likely to pay high ransom amounts.

Figure 5. Hunters International’s victims by region.

Figure 6. Hunters International’s victims by industry.

Affiliate Panel

Figure 7: The home page of Hunters International’s affiliate panel.

Hunters International’s administrator is a very business-focused individual and this mindset is reflected in the affiliate panel used by the cybercriminals. The operation has a well-defined workflow, from the creation of targets (potential victims) and disclosing stolen data to negotiating with the victim and processing ransom payments.

The affiliate panel does not have a builder, which allows threat actors to customize the ransomware via a web interface. However, certain aspects of the ransomware, such as defining processes to be killed and disabling network share encryption feature, can be manipulated through the malware’s command line parameters, which will be elaborated further in the Technical Details section.

In addition to the usual sections such as News, Payments, and Companies (the latter being used for the registration of new targets), the affiliate panel offers threat actors access to a self-developed tool called “Storage Software” which is provided after a new target is registered. This tool was created to collect metadata from files exfiltrated from victims and send it to Hunters International’s server, offering both the victim and the attack’s author an organized view of the stolen files.

Additionally, in the “Disclosures” section, which appears after a target is registered, threat actors can create folders, add specific files, and classify them by category, such as Source Code, Financial, PII (Personally Identifiable Information), and more.

Target Creation

After logging in into the affiliate panel, the threat actors have to register a target and add information about the company, including revenue, stock, name etc. Once registration is done, the threat actors are provided with: Ransomware, Storage Software and victim’s credential to the live-chat.

Figure 8. Affiliates can create a target organization by using the Target registration

As shown below (Figure 9), once a target is created, the system displays the status as “New” on the left side, along with the percentage (80%) of the ransom payment that the criminals would receive if the victim pays. Additionally, on the right side, threat actors are provided with options to set the ransom price and specify which actions were performed during the intrusion, such as “Exfiltrated Data,” “Encrypted Data,” and “Mailing List.”

Figure 9. Company overview after target registration.

Data encryption

Once a target is registered, threat actors can download the ransomware which is compatible with x64, x86, and ARM architectures, as well as with Windows, Linux, FreeBSD, and SunOS operating systems. Although this level of compatibility is not very common, other ransomware families such as Apos, RTM,  Lynx,  Qilin (aka Agenda), and RansomHub also support these architectures and operating systems.

As shown in the screenshot below, the last version of Hunters International’s ransomware no longer drops any ransom note nor renames any encrypted files by appending extensions; functionalities also present in the latest versions of LockBit 4 and Lynx. More on that in the “No more ransom notes” section.

Figure 10. Screenshot of the latest version of Hunters International ransomware, and the victim’s credentials to access the live-chat.

Company Confirmation

Figure 11. A screenshot of the confirmation panel, and the required actions during the intrusion.

Once the actions (Exfiltrated Data, Encrypted Data and Mailing List) performed during the intrusion are confirmed in the system, the criminals are provided with the Storage Software to download as well as two new sections are presented: Disclosures and Mailing List. Although Group-IB’s specialists could not test all the features, Group-IB believes that the Mailing List functionality  is eventually used by threat actors to send bulk emails to the victims’ partners, clients and competitors, in order to notify them about the incidents and put further pressure on the victims.

Storage Software

Figure 14. Storage Software download page, tags, and additional features.

The Storage Software tool is compatible with both Windows and Linux operating systems as well as x86 and x64 architectures. According to the tool’s description, the Storage Software: “allows [criminals] to share access to exfiltrated data, categorize documents, and make disclosures through [Hunters International] website without a need to upload it anywhere. Data stays on [Hunters International’s parnets] server. Once payment is made the company allows to erase its data remotely”.

The following is the full “help” output of the tool for Windows.

The tool indexes information concerning the files found in the directory informed by the threat actor [–root], then sends it via TLS to the Onion service provided by the group [–host].

Figure 15. Processes on Linux and established network connection with Hunters International Tor service.

Once the metadata is collected, a representation of the files indexed by the tool and stored in a host controlled by the threat actor will be presented in the affiliate panel.

The threat actor can create different Disclosures (folders) and add files by checking the checkbox. The Disclosures can be either Viewable or Downloadable, allowing victims to download files by using Hunters International’s victim panel.

Figure 16. Instructions on how to connect to Data Storage in the Disclosures section.

Figure 17. Configuring Disclosures and selecting files to be presented in the victim’s panel.

During the analysis of the Storage Software, Group-IB discovered that the tool can also be used to delete files. So, in order to perform any action such as deleting and downloading the files stored in the criminal’s host from Hunters International’s panels (victim/affiliate), it is necessary for the tool to be running in the host with the files. Otherwise, access to the files will not be possible.

In the image below, there can be seen the tool’s logs regarding the files indexing, the network connection with the group’s server and the download of files performed in the Hunters International victim panel by a fictitious company.

Figure 18. Log of the tool in the criminal’s host.

Therefore, Group-IB concludes that the files exfiltrated from the victims are not stored in Hunters International’s servers initially, but in a host controlled by the criminal who conducted the intrusion.

Please note that the Storage Software is used by the threat actors only to send information about the files—not the files themselves—to the group’s system in order to be presented to the victims as well as to disclose it in the DLS.  Once the ransom is paid, the victim is granted access to the Disclosures configured by the criminal, and the victim can then download and delete its data, once the Data Storage is connected to the criminal’s server with the files.

Figure 19. Information presented to the victim in the Payment section of the system used to negotiate with the criminals.

The fact that the files are not stored in the Hunters International’s infrastructure benefits both parties, especially for the threat actors conducting the intrusions. Taking into account the uncertainty and fear caused by ALPHV, NoEscape and Black Basta exit scams, some criminals may think it is safer to store the data exfiltrated from the victims in their own infrastructure.

The News Section: The Evolution of Hunters International

In this section, we present the most relevant events reported in the affiliate panel by Hunters International’s operators. In addition to providing information on the evolution of ransomware and the Storage Software tool, in this section there can also be found details of security issues that affected the group’s infrastructure which led to the update of tools and systems, as well as thoughts from the group’s operators on the current ransomware scenario.

The Ransomware

The following information shows the evolution of the ransomware throughout 2024 from the version v4 to the v6. Among the updates, in the version 5.1.0 released on August 5, 2024 two critical functionalities were implemented: the automatic mounting of unmounted disk partitions and the ransomware in the form of a DLL.

According to the manual provided by the group, threat actors can deploy the DLL-ransomware by using the legitimate Windows binary regsvr32.exe. This technique – System Binary Proxy Execution: Regsvr32 (T1218.010) – has also been described by other ransomware groups such as LockBit, Black Suit (aka Royal) and Qilin, as they also provide ransomware in the form of DLL. By using this technique, threat actors make it harder to detect malicious artifacts.

The following are the announcements from Hunters International regarding the updates to the ransomware in 2024.

No more ransom notes

The next screenshot contains one of the latest statements made by Hunters International’s administrator in the affiliate panel. The statement explains the reason why the operators decided to no longer rename encrypted files during the encryption process and also abandon the ransom notes. Curiously, Microsoft’s Threat Intelligence team reported on X on January 21st that LockBit 4 now has a quiet mode feature in which files “extensions and modification times are preserved after encryption, and ransom notes are not dropped”.

From the administrator’s point of view, the more people who know about the attack, the less likely the victim company is to pay the criminals. While ransomware groups such as RansomHub may eventually report incidents to regulators, Hunters International and the others believe the most effective extortion approach is contacting CEOs and key employees, such as IT teams instead of dropping ransom notes everywhere.

Figure 21. A screenshot of an announcement made by Hunters International on 14 August 2024, regarding the change in ransom strategy in Russian (top), and translated into English (bottom)

As indicated by the statement (Figure 21), it can be surmised that the group’s administrator was aware of what has been discussed by the US government and security companies with regard to ransomware. This awareness, combined with developments in the ransomware ecosystem, allows the criminal to better evaluate how defensive actions by government bodies and security firms might impact their operations and adjust their strategies accordingly.

Storage Software Updates

In the following screenshot (Figure 22), instructions released in the affiliate panel on 3 November 2023 outlined how to navigate the panel and use the Storage Software Tool. Although we were unable to test some features, the operators’ description suggests that the affiliate panel functions similarly to a broker-dealer, in which initial accesses are provided under certain conditions to threat actors collaborating with Hunters International. Additionally, as presented in the Establishment section, the platform also works as a guarantor; a feature very similar to those available in underground forums such as XSS (aka DamageLab) and Exploit.

Figure 22. A screenshot dated 23 November 2023 with instructions on how to work with the tool and affiliate panel.

On March 5, 2024,  the group’s administrator posted a note about an attack on the infrastructure supporting the Storage Software. Coincidentally, March had the lowest rate of disclosure in the group’s DLS, in comparison with February and April 2024. In response to the incident, the group updated and released new versions of the Storage Software tool on March 12 and 27, 2024.

Figure 23. A screenshot from Hunters International addressing the attack on the infrastructure that supported the Storage Software, and mitigation.

The following are  screenshots of the posts made by Hunters International about the updates of the Storage Software on 12 March and 27 March 2024.

A similar attack attempt

A month before the March incident, the operators shared information about a similar attack attempt on February 4, 2024,  which targeted all onion domains used by the group.  However, according to them, the TLS certificate spoofing attack was detected and did not affect the infrastructure.

What else happened

The News section of the Hunters International’s affiliate panel has a lot of information about their operation, including services, updates, and bug fixes of software. In addition to the information presented previously throughout the report, the following are the most relevant events published by the group’s administrator.

OSINT

A third-party partnering with Hunters International provides OSINT services in order to collect information about “all company executives, responsible persons and their close relatives”. This information is then used by the criminals to extort victims via phone calls, emails and social media. While other groups such as Medusa, ALPHV and NoEscape offered similar services, we believe that it is a matter of time before this becomes the primary approach to victim extortion.

Figure 25. An announcement by Hunters International about OSINT and extortion services on 13 March 2024.

Even though the latest version of the ransomware no longer drops ransom notes, threat actors may choose to use the following template from Hunters International to manually create ransom notes.

Figure 26. A ransom note template provided by Hunters International, published on 2 August 2024

On 7 August, 2024, Hunters International’s administrator shared a few articles from the media on the SharpRhino Remote Access Trojan (RAT) malware which was used by criminals collaborating with Hunters International. It is important to note that the resources used during intrusions are usually acquired by the threat actors. Therefore, SharpRhino RAT is possibly a capability of a specific criminal group or individual, rather than a tool used by all Hunters International’s partners.

The “ban” mentioned in the title of the note means the period of which there was no news about Hunters International on the internet.

Figure 27. Hunters International sharing news published by the media about SharpRhino in the affiliate panel.

The end of Hunters International ?

On 17 November 2024, Hunters International’s operators released an internal note to their partners on the end of the project. In a sort of “farewell letter”, the group’s leadership claimed that the ransomware business has become risky and unprofitable due to actions taken by government bodies and the negative impact caused by ongoing geopolitics globally.

Figure 28. A statement from Hunters International about the end of the project.

Despite that, the administrators published a new note a few weeks later on the return of the Hunters International project. So far, the group is still active.

Rebrand

From the administrator’s perspective, ransomware is no longer profitable and risky. As a result, the operators released a new project on 1 January 2025 called World Leaks. Instead of conducting double extortion, the operation will shift to extortion-only attacks. The criminals collaborating with the group will be provided with a purportedly self-developed exfiltration tool designed to automate the process of data exfiltration in the victims networks.

Figure 29. The login page for the affiliates panel of the newly launched World Leaks.

Capability

According to the operators, the exfiltration software is an easy-to-use 100% fully undetectable (FUD) tool developed from scratch. Similar to the Storage Software available in the Hunters International’s affiliate panel, the World Leaks‘ exfiltration tool is allegedly able to establish network connection through a proxy server. However, this is not required to run the software.

After its release, the administrators found bugs in the World Leaks infrastructure and decided to pause the project until everything was resolved. According to the affiliate panel, World Leaks is again active. However, without disclosures on its DLS.

Figure 30. The World Leaks affiliate panel home screen.

Ransomware Technical Details

The malware was developed in Rust to target x64, x86, and ARM architectures, as well as the Windows, Linux, FreeBSD, and SunOS operating systems. It offers a range of command-line arguments for full control over execution, including options for delaying execution as an anti-analysis measure, as well as host and Windows shares enumeration.

The ransomware avoids encrypting the first 0x41 bytes of files. As mentioned previously, in the version v6 of Hunters International’s ransomware released on 14 August 2924, the malware no longer renames files for appending an extension after encryption nor drops ransom notes. Beyond evading security solutions, the absence of ransom notes reduces the likelihood that employees of the targeted organization will become aware of the attack and share information that could ultimately impact the criminals’ negotiations.

Windows

For Windows (x64, x86, x64_dll, x86_dll), the ransomware was provided in both EXE and DLL formats. Threat actors could specify command-line arguments to manage operations, including encrypting specific files, directories, drives and network shares, either locally or on remote hosts. Additionally, the ransomware has a feature which allows criminals to erase free space on the encrypted drive. However, during the analysis of the artifact, Group-IB’s reverse engineers discovered a bug in this functionality due stack overflow, which causes a crash when wiping the free space.

In addition to the ransomware, Hunters International provided a manual with instructions on how to work with the software. The following are the instructions for the Windows version:

When the ransomware is executed, it displays a debug console that indicates the status of its operation, including the number of encrypted files, and the current task being performed.

Figure 31. A screenshot of the debug console during the encryption process.

As almost ubiquitous features (T1490) of most ransomware, Hunters International’s ransomware deletes Windows Shadow Copies, Windows Backup Catalog, as well as disable automatic Windows recovery features by running the following commands:

• “C:\Windows\System32\vssadmin.exe” delete shadows /all /quiet
• “C:\Windows\System32\wbem\WMIC.exe” shadowcopy delete
• “C:\Windows\System32\wbadmin.exe” delete systemstatebackup
• “C:\Windows\System32\wbadmin.exe” delete catalog-quiet
• “C:\Windows\System32\bcdedit.exe” /set {default} recoveryenabled No
• “C:\Windows\System32\bcdedit.exe” /set {default} bootstatuspolicy ignoreallfailures
• “C:\Windows\System32\wbadmin.exe” delete systemstatebackup -keepVersions:3

Next, it enumerates all running processes and services using the CreateToolhelp32Snapshot and EnumServicesStatusW Windows APIs. It checks for matches with its predefined services or processes that need to be terminated. If any are found, it stops and terminates them using the TerminateProcess and ControlService APIs. The malware includes a default list of processes and services to stop which can be found in the manual previously presented in this section. Additionally, threat actors can also add or remove items from this list using command line switches.

Figure 32.Terminate processes

Figure 33. Stop processes.

Before starting the encryption process, the ransomware executes the NetServerEnum function in order to enumerate all devices in the Active Directory domain.

Figure 34. Enumerate devices member of Active Directory domain.

Additionally, it retrieves all local and remote shares available in the network by running the NetShareEnum function in order to encrypt the files within them.

Figure 35. Retrieve information on Windows shares.

Since the ransomware does not add file extensions to the encrypted files, it first checks the bytes from offset 0x45 to 0x58 before encryption. These bytes are compared with a hardcoded value inside the ransomware (‘A88830F163306FFE4E4C50EE730476D30C3CE4’). If the comparison is successful, it indicates that the file is already encrypted, and the ransomware will skip the encryption process. If no match is found, the ransomware proceeds to encrypt the file starting from byte 0x59, using AES encryption with a randomly generated 128-bit key for each file. The encryption process makes use of the AES instruction set, including ‘AESKEYGENASSIST,’ ‘AESIMC,’ ‘AESENC,’ and ‘AESENCLAST.’ After the file is encrypted, the encrypted key is written at the end of the file.

Unix-like

For Linux (x64, x86, arm64), FreeBSD (x64, x86), and SunOS versions, the control and options are limited when compared to the Windows version. The ransomware only accepts two parameters, and to execute it, threat actors must specify the directories to be encrypted. If the malware is run without a designated PATH, it will not encrypt any files.

The following are the instructions for the Unix-like versions:

ESXi

The VMware (x64, arm64) version allows the encryption of ESXi hypervisor, and is similar to the Linux version, except that it has a default encryption directory set to the Virtual Machines location on ESXi (/vmfs/volumes/). Additionally, it includes a switch to stop any running VMs.

The following are the instructions for the ESXi version:

On 27 February 2024, the operators provided instructions on how to run the ransomware on ESXi hosts under specific circumstances, in which a third-party software could not run in the hypervisor. Basically, the commands disables execInstalledOnly enforcement. According to the vendor, “The execInstalledOnly advanced ESXi boot option, when set to TRUE, guarantees that the VMkernel executes only those binaries that have been packaged and signed as part of a VIB. (vSphere Installation Bundle)”.

Figure 36. Instructions on how to disable execInstalledOnly on ESXi hypervisor.

Network Infrastructure

In order to increase the visibility of the disclosures and leaks published in the group’s DLS and consequently intensifies the pressure on the victims, Hunters International registered a few domains to serve as DLS web pages.

At the time of publishing this blog, we observed that the IP address 45[.]8.228.240 associated to huntersinternational[.]su belonged to the same bullet proof host (AS214822) as the IP address 45[.]135.233.154 associated to both lynxblog[.]net and incblog[.]su domains. However, we could not collect any additional information which could clarify whether or not there is a link among these groups.

Figure 37. Hunters International’s clear net domain.

Figure 38. Lynx’s clear net domain. S

Figure 39. INC’s clear net domain.

In addition to these domains, we discovered a few others that were registered by the group, possibly as reserve domains as they were not active:

• huntersinternational[.]bond
• huntersinternational[.]ltd 
• huntersinternational[.]top 
• huntersinternational[.]vip

Other than clear net domains, we noticed the following pattern in the Hunters International’s Tor services:

• hunters33… (LIVE-CHAT)
• hunters55… (DLS + STORAGE SOFTWARE)
• hunters77… (AFFILIATE PANEL)

Domains and IP addresses:

Conclusion

Just as the income of a ransomware operation relies on pentesters and access brokers to conduct intrusions and extortions, the existence of a criminal group depends on its operators to secure their infrastructure, adapt their capability as well as the overall operational security (opsec) of the criminals. The information collected by Group-IB’s threat intelligence team on this adversary reveals the maturity level of Hunters International’s administrators to conduct criminal operations and adapt their strategy according to global and geopolitical events affecting the underground economy. Additionally, the information found in the group’s affiliate panel allows defenders to better understand the current ransomware scenario, as well as the visibility of the effects of actions taken by government bodies from the perspective of experienced criminals involved for years in this business model.

As detailed in our annual High Tech Crime Trends Report 2025, owing to the impact of law enforcement operations leading to arrests, and disruptions as well as due to the actions taken by governments including sanctions and banning ransomware payments, ransomware and extortion operations have been attacking critical infrastructure as they believe that organizations providing critical services are more likely to pay high ransom amounts. Furthermore, ransomware groups may slowly adopt in the near future a stealthier extortion approach as observed from LockBit and Hunters International. According to some criminals, the likelihood for victims to pay the ransom decreases significantly in case regulators and law enforcement know about the breach, which explains why LockBit and Hunters International implemented features to no longer drop ransom notes.

Finally, we observed a decrease in ransomware-related payments compared to an increase in payments regarding extortion-only attacks according to Coveware’s report. Therefore, similar to what was observed by CISA in relation to BianLian, other ransomware groups may eventually shift from double extortion to exfiltration-only attacks and consequently develop methods to automatize this process.

MITRE ATT&CK

Frequently Asked Questions

1. What is Hunters International?
Hunters International is a ransomware operation that emerged in October 2023. It is suspected to be a rebrand of the Hive ransomware group, which was dismantled by law enforcement earlier in 2023.

2. What type of cybercriminal activities does Hunters International engage in?
Hunters International primarily engages in data exfiltration and extortion, though it also performs double extortion attacks (encrypting files while threatening to leak stolen data).

3. When was Hunters International first discovered?
The group’s activities were first publicly identified on October 13, 2023, after the disclosure of an English company in the group’s DLS. Later, a ransomware sample was submitted to VirusTotal from a German IP address on October 19, 2023.

4. How does Hunters International conduct extortions?
The group gains access to victims’ networks, steals sensitive data, and eventually encrypts files. If victims refuse to pay the ransom, the attackers use OSINT (Open Source Intelligence) techniques to pressure them through phone calls, emails, and social media.

5. What industries and regions does Hunters International target?
The group mainly attacks real estate, healthcare, and professional services sectors, with attacks observed in North America, Europe, and Asia. Hunters International prohibits attacks on Israel, Turkey, the entire Far East, and Commonwealth of Independent States (CIS) countries. However, data leaks from companies in these regions suggest that these rules are not strictly followed.

6. What operating systems can be affected by the ransomware from Hunters International?
The ransomware is compatible with Windows, Linux, FreeBSD, SunOS, and ESXi (VMware servers). It supports x64, x86, and ARM architectures.

7. How does Hunters International evade security measures?
The group employs several tactics, including using Tor proxies and TLS network communication, stripping payloads, avoiding ransom notes and renaming encrypted files, and leveraging OSINT techniques for targeted extortion.

8. Is Hunters International still active?
Although on November 17, 2024, the group announced the closure of Hunters International project due to increased government scrutiny and declining profitability, it is still active. However in January 2025 the operators behind Hunters International launched a new project coined “World Leaks”, which focuses entirely on data exfiltration 2nd extortion, rather than on ransomware attacks.

9. What makes World Leaks different from Hunters International?
Unlike Hunters International, which combined encryption with extortion, World Leaks operates as an extortion-only group using a custom-built exfiltration tool.

10. What trends can we expect from cybercriminal groups like Hunters International?
There is a growing trend towards extortion-only attacks, as observed in the transition to World Leaks. Ransomware operators are also adopting stealthier techniques to avoid detection.