Hunters International Dumps Ransomware, Goes Full-on Extortion

April 9, 2025

An important change is going on in the world of cybercrime. For the past several years, ransomware groups have been running campaigns of what is called double extortion: charging two ransoms, one for decrypting the data and one to keep the data private. The Hunters International ransomware-as-a-service gang is a case in point. Having risen from the ashes of the Hive gang, the group has been an effective operator in the ransomware space and has utilized double-extortion extensively. Since its establishment in 2023, the group has claimed over 200 victims, including the London branch of the Industrial and Commercial Bank of China, Anderson Gas and Oil, and Barber Specialties, a construction company in Texas. However, circumstances are changing, and Hunters International, along with other ransomware groups, are beginning to decide that the ransomware game is no longer worth the candle.

What prompted this change? In general, two large changes have been affecting ransomware groups since 2024. The first is that law enforcement has gotten more effective at fighting back against ransomware. Significant international law enforcement operations with names such as Endgame, Morpheus, Cronos, and Magnus have significantly disrupted ransomware operations by shutting down their websites, seizing source code, and developing decryptors that counter ransomware programs. One such operation shut down the Hive gang, predecessors of Hunters International.

The other major change is that ransomware is simply no longer as profitable as it once was. Efforts by the international community to ban paying out ransoms have had a serious effect on the underground ransomware economy. The result is a strange paradox: although there was a continued growth in ransomware cases in 2024, as much as a 132% jump according to some researchers, the actual amount of money paid out as ransom has dropped significantly. According to a report from Chainalysis, the amount of ransom paid dropped from a record 1.25 billion USD in 2023 to 813.55 million USD in 2024, a 35% decrease.

Between these two trends, it becomes more clear why Hunters International has made the decision to drop ransomware entirely and rebrand themselves purely around extortion, which cannot be interfered with by an outside decryptor. According to a report from Group-IB, the group is rebranding itself under the new name World Leaks and is developing a new exfiltration software it claims to be fully undetectable. This is not isolated to Hunters International: LockBit 4, the current most popular ransomware program, now includes a Quiet Mode feature that performs the data collection without the actual encryption. Group-IB is confident that other ransomware groups will soon follow suit, and that double-extortion will soon be replaced by data privacy extortion for most of the major ransomware groups.

More from Blackwired

April 16, 2025

The Rise of Precision-Validated Credential Theft: A New Challenge for Defenders

Precision-validated phishing targets specific emails, blocking others, evading detection and complicating traditional defenses.

Read more
April 2, 2025

How SSL Misconfigurations Impact Your Attack Surface

SSL misconfigurations increase cyber risks. EASM platforms offer continuous monitoring to detect and address vulnerabilities effectively.

Read more
March 26, 2025

Deceptive Signatures: Advanced Techniques in BEC Attacks

BEC attacks use email signature tampering to hide phishing links, bypassing security; companies should monitor signature changes.

Read more

© 2024 Blackwired. All Rights Reserved.