Big-game ransomware crew Hunters International says its criminal undertaking has become “unpromising, low-converting, and extremely risky,” and it is mulling shifting tactics amid an apparent rebrand.
This is according to researchers at Group-IB, who believe a spinoff – which will focus on extortion involving purely the theft of data – is under formation by the gang’s senior personnel. They think, however, the old group is still currently operating.
Victims of Hunters International include Tata Technologies, a plastic surgeon with an office in Beverly Hills, and Industrial and Commercial Bank of China’s London HQ.
Group-IB revealed today that Hunters International announced the closure of the project to their own crew in November, telling affiliates a rebrand to “World Leaks” was already underway.
World Leaks launched its dark web page on January 1 and is focused on theft-only tactics – so no ransomware. Just theft of information and using that to extract as much value as possible from victims or anyone interested in the pilfered data.
Leading figures within the operation told their org that the ransomware game was no longer as profitable as it once was, and with mounting efforts to counter file-scrambling malware from international law enforcement as well as investigators breathing down their neck, it had all become too risky an enterprise.
The November “wind-down” message to affiliates reads:
They went on to cite Moscow’s crackdown on various platforms that allegedly allow cybercriminals to launder their illicit proceeds as examples of how even Russia is becoming a slightly less hospitable home for career ransomwarers.
However, a follow-up message weeks later appeared to contradict elements of this, saying Hunters International was back and the group is still operating today. There may have been a split in the operation, some deliberate or accidental confusion, or something else.
Regardless, Group-IB still believes a rebrand to World Leaks is likely, and despite some initial website teething issues – bugs that forced admins to shut the site soon after launch – the project is alive though has no recorded victims yet.
World Leaks offers members access to what it says is an easy-to-use and totally undetectable bespoke data exfiltration software that connects to an online control panel for affiliates through a network proxy server; the affiliates being the miscreants who infect organizations with data-stealing malware in the first place, and the proceeds of the crime are shared between those people and the ransomware gang members overseeing, developing, and renting out the malicious code to affiliates.
If Hunters International does indeed ultimately abandon ransomware, they’ll be joining many peers that made the same move before. This indicates to global cyber cops that their long hours spent on disruption efforts are having some impact.
The cybersecurity industry has seen a slow upward trend in ransomware criminals abandoning encryption and opting for pure theft extortion tactics, although undergoing a full rebrand isn’t the norm.
Investigators spotted the move away from data-encrypting ransomware back in 2022, with the likes of Karakurt making such moves and BianLian following a year later.
Since then, we’ve also seen new groups crop up on the scene with extortion-only MOs from the get-go. Mad Liberator is one example, launching less than a year ago.
However, the idea that ransomware is no longer profitable seems like a bit of a reach. Sophos’s 2024 ransomware report showed between a 2.6-5x increase in data-recovering ransom payments compared to the previous year, depending on how the figures are analyzed.
Ransomware also remains a key focus for governments as they introduce legislation to counter the crime. ®