#1 Middle East & Africa Trusted Cybersecurity News & Magazine |

32 C
Dubai
Friday, October 10, 2025
Subscribe
HomeTopics 3Law EnforcementRansomware Gang Hunters International Shuts Down and Offers Free Decryption Keys
Law EnforcementRansomwareWorldwide

Ransomware Gang Hunters International Shuts Down and Offers Free Decryption Keys

By: Ouaissou DEMBELE

Date:

Related stories

spot_imgspot_imgspot_imgspot_img

The ransomware gang Hunters International announced on 3 July 2025 that it is shutting down its operations and offering free decryption keys to previously affected organizations. While the move appears philanthropic, experts warn it may be a strategic rebrand into a data-extortion outfit (“World Leaks”). This signals a larger shift in cybersecurity trends and underscores evolving criminal tactics globally.

  • Hunters International emerged in late 2023, likely stemming from the collapsed Hive operation, using Hive’s codebase to conduct ransomware-as-a-service (RaaS) attacks across multiple platforms (Windows, Linux, ESXi, ARM).
  • Over the following ~18 months, it claimed nearly 300 victims worldwide, with confirmed reports of 55 business attacks and over 3 million records compromised, including healthcare and government targets.

Shift to Data Extortion

  • In April 2025, threat intelligence firm Group-IB revealed that Hunters International was transitioning to a data-extortion-only model, operating under a new name, World Leaks.

Shutdown Announcement

  • On 3 July 2025, the group posted on its dark-web leak site: “After careful consideration … we have decided to close the Hunters International project”.
  • All entries were deleted from their leak site, and victims were offered free decryptors via a victim portal.

Global and MEA Impact

Regional Ramifications

  • Many MEA-based enterprises have been targeted in double-extortion campaigns, making them vulnerable to new World Leaks-style data-only threats.
  • Regulators in the region, including UAE’s National Emergency Crisis and Disasters Management Authority (NCEMA) and Saudi NCA, may revisit incident response and ransom refusal strategies in light of this evolution.

International Context

  • Similar to previous group shutdowns (e.g. Hive, Avaddon), Hunters International’s exit and pivot to data extortion reflect shifting criminal paradigms.
  • The move continues a larger trend highlighted by Comparitech and SecurityWeek, where ransomware operations increasingly evolve into data theft specialists.

Expert Insights

Rebecca Moody (Comparitech):
“Hunters International hasn’t had a fit of conscience but has seen another (potentially more lucrative) revenue stream in data theft.”

Aiden Sinnott (Sophos):
“Despite their claim to shut down … it is likely that they have rebranded as World Leaks.”

Technical Profile: MITRE ATT&CK & TTPs

INITIAL ACCESS    T1566.001 | Spearphishing (attachments/links)
EXECUTION        T1059       | Malicious script execution
LATERAL MOVE     T1021       | Remote services (e.g., RDP)
EXFILTRATION     T1041       | Exfiltration over C2 channels
IMPACT           T1486       | Data encryption for extortion
DEFENSE EVASION T1070       | Indicator removal on host

What This Means for MEA Organizations

  1. Decryption Access: Victims should evaluate decryptor legitimacy via trusted security services and avoid rogue files.
  2. Data Theft Emphasis: Prepare for purview of stolen data exposure even post-decryption due to potential World Leaks leverage.
  3. Extortion Dynamics: Extortion-only attacks remove the technical restore path—prioritize containment and notification processes.

Actionable Takeaways

  1. Validate Decryptors Safely: Use offline sandboxes and vendor-signed tools before deploying decryptors.
  2. Encrypt Sensitive Data at Rest: Adds protection against exfiltration threats.
  3. Monitor Data Egress: Implement DLP to detect unusual export volumes.
  4. Segment Networks: Isolate backups and critical systems to prevent lateral movement.
  5. Threat Hunting: Search for indicators of compromise tied to Hunters/World Leaks.
  6. Update Incident Response Plans: Include data extortion scenarios and communication strategies.
  7. Improve Backups: Air-gapped, immutable backups ensure business continuity.
  8. Security Awareness & Training: Train staff on ransomware, social engineering, and phishing resilience.
  9. Engage CERT/APTs: Share threat intel via regional platforms (e.g., ME-CERTs, Africa-CERT).
  10. Retain Legal Readiness: Consult regulators on breach reporting timelines and ransom negotiation constraints.

Conclusion

Hunters International’s closure and free decryptor offer may seem benevolent, but analysts caution this is likely a strategic rebrand into data extortion via World Leaks. This evolution reflects wider 2025 trends where cybercriminals increasingly value stolen data over encrypted files. Security leaders in MEA and beyond must adapt to this shift by reinforcing detection, extending incident playbooks to data-only attacks, and engaging in proactive cybersecurity collaboration to preempt the next wave of cyber threats.

Sources

  • TechCrunch: Ransomware gang Hunters International says it’s shutting down (3 July 2025)
  • TechCrunch reporting on rebrand & free decryptors
  • SecurityWeek: Hunters International morphs into World Leaks (7 July 2025)
  • Comparitech: 300 attacks, 3 million records compromised (3 July 2025)
  • Group‑IB and BleepingComputer analysis (April 2025)
  • CSO Online expert caution (4 July 2025)
Ouaissou DEMBELE
Ouaissou DEMBELEhttp://cybercory.com
Ouaissou DEMBELE is a seasoned cybersecurity expert with over 12 years of experience, specializing in purple teaming, governance, risk management, and compliance (GRC). He currently serves as Co-founder & Group CEO of Sainttly Group, a UAE-based conglomerate comprising Saintynet Cybersecurity, Cybercory.com, and CISO Paradise. At Saintynet, where he also acts as General Manager, Ouaissou leads the company’s cybersecurity vision—developing long-term strategies, ensuring regulatory compliance, and guiding clients in identifying and mitigating evolving threats. As CEO, his mission is to empower organizations with resilient, future-ready cybersecurity frameworks while driving innovation, trust, and strategic value across Sainttly Group’s divisions. Before founding Saintynet, Ouaissou held various consulting roles across the MEA region, collaborating with global organizations on security architecture, operations, and compliance programs. He is also an experienced speaker and trainer, frequently sharing his insights at industry conferences and professional events. Ouaissou holds and teaches multiple certifications, including CCNP Security, CEH, CISSP, CISM, CCSP, Security+, ITILv4, PMP, and ISO 27001, in addition to a Master’s Diploma in Network Security (2013). Through his deep expertise and leadership, Ouaissou plays a pivotal role at Cybercory.com as Editor-in-Chief, and remains a trusted advisor to organizations seeking to elevate their cybersecurity posture and resilience in an increasingly complex threat landscape.

Subscribe

- Never miss a story with notifications

- Gain full access to our premium content

- Browse free from up to 5 devices at once

Latest stories

spot_imgspot_imgspot_imgspot_img
Previous article
Taiwan NSB Warns of Critical Cybersecurity Risks in China-Made Mobile Apps
Next article
US Sanctions Russia-Linked Bulletproof Hosting Provider Aeza Group for Enabling Ransomware and Infostealer Operations

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Cybercory Magazine

Cybercory.com serves as a platform for promoting, motivating, and educating its audience on cybersecurity matters, contributing to a more secure digital environment. Cybercory is a part of Sainttly Group.

Latest

Popular

Useful Links

Quick Links

© 2021-2025 cybercory.com, Sainttly Group. All Rights Reserved. Designed by digitalliums.com.