Redazione RHC : 4 July 2025 12:55
Hunters International, the group responsible for one of the largest ransomware attacks in recent years, has officially announced the cessation of its operations. In a statement published on its darknet portal, the group said it wanted to cease operations and offer free tools to decrypt data from affected companies.
According to the criminal group, this decision was made after an in-depth analysis and is linked to recent events, the details of which were not disclosed. However, it is known that as early as November 2024, cybercriminals had announced their intention to reduce their activities due to growing interest from law enforcement and the declining profitability of attacks.
Project closure and free decryption software for affected businesses.
We at Hunters International would like to inform you of an important decision that affects our operations. After careful consideration and in light of recent developments, we have decided to close the Hunters International project. This decision has not been taken lightly and we understand the impact it has on the organizations we have interacted with.
As a gesture of goodwill and to help those who have been affected by our previous activities, we are offering free decryption software to all businesses that have been affected by our ransomware. Our goal is to ensure that you can recover your encrypted data without having to pay ransoms.
We understand the challenges that ransomware attacks pose and hope that this initiative will help you regain access to your critical information quickly and efficiently. To access decryption tools and guidance on the recovery process, please visit our official website.
We appreciate your understanding and cooperation during this transition. Our commitment to supporting affected organizations remains our top priority as we wind down our operations.
As a “goodwill gesture”, Hunters International promises to provide all affected companies with free tools to recover their encrypted data. The compromising page on their website, which previously published the details of victims who refused to pay the ransom, has also been completely deleted. Any organization attacked by the group can request decryption programs and instructions on how to recover information.
It is worth noting that in April, Group-IB specialists reported the reformatting of Hunters International and the launch of a new project called World Leaks, which focused solely on data theft and subsequent extortion. Unlike the previous approach, where cybercriminals combined data encryption with data leakage, the new scheme involved only stealing information using their own exfiltration tool. This tool is said to be an improved version of the system previously used by members of Hunters International.
Hunters International appeared on the cybercrime scene at the end of 2023 and immediately attracted the attention of experts. Experts then drew attention to the similarity of their programming code to malware previously used by another well-known group, Hive, which gave rise to speculation about a possible rebranding. In less than two years of operation, Hunters International has managed to attack nearly 300 organizations around the world, including large companies and medium-sized businesses. The ransom amount ranged from several hundred thousand to millions of dollars, depending on the size of the targeted company.
The group’s most notable victims include entities such as the US Marshals Service , the Japanese company Hoya , Tata Technologies , the North American car dealership chain AutoCanada, the US Navy contractor Austal USA, and the largest non-profit medical organization in the state of Oklahoma, Integris Health. Additionally, in December 2024, cybercriminals hacked the Fred Hutch Cancer Center in the United States, threatening to publish the data of more than 800,000 patients if the institution’s management did not accept their conditions.
The Hunters International ransomware was dangerous because it supported a wide range of operating systems and architectures. The malware can run on Windows, Linux, FreeBSD, SunOS, and VMware ESXi servers, and also supports x64, x86, and ARM platforms. Despite the official statement about the cessation of activity, experts believe that cybercriminals may continue the attacks under a new name or within other groups, which has already happened several times in a similar context.