The Russian-speaking cybercrime group known for healthcare attacks says it is ending operations, though doubts remain.
Hunters International, a ransomware-as-a-service group that has operated for the past 18 months, announced on July 4 that it is shutting down. The group claimed it will provide free decryption software to past victims so they can recover encrypted files without paying ransoms. Known for targeting healthcare and corporate networks, the group used a network of affiliates to carry out attacks in exchange for a share of ransom payments.
The announcement was published on the group’s website, stating the decision was made “after careful consideration” and was accompanied by a message offering recovery tools to affected organizations. As of now, no decryption keys have appeared on their site.
Ransomware groups frequently rebrand, often closing one operation before launching another under a new name. Hunters International may be following that pattern. Earlier this year, the group launched World Leaks, a data leak site that names victims and posts stolen files if ransoms are not paid. Around the same time, the group appeared to shift tactics, focusing more on data theft and extortion than file encryption.
There is speculation that Hunters International may have emerged from Hive, a ransomware group dismantled by law enforcement in early 2023. Though Hunters used Hive’s encryptor, it claimed to have purchased the source code rather than being a direct rebrand. The FBI seized Hive’s servers in July 2022, and Hunters became active in October 2023.
More recently, a spokesperson from the World Leaks site stated that they had separated from Hunters International, suggesting the site may now operate independently.
In its shutdown notice, Hunters International framed the release of free decryption tools as an act of goodwill: “Our goal is to ensure that you can recover your encrypted data without the burden of paying ransoms… We understand the challenges that ransomware attacks pose.”
The group also asked organizations to visit its site for access to tools and support, though no such tools have been published so far.
Public shutdowns of ransomware groups rarely mark a clear endpoint. Rebranding remains a common tactic to evade law enforcement and resume operations under a new name. Although Hunters has offered free decryptors, experts advise caution until the tools are verified. The appearance of World Leaks, along with Hunters’ earlier move toward data extortion, suggests a change in approach rather than a complete withdrawal from cyber activity.
RaaS is a business model where cybercriminals lease ransomware tools to affiliates, who conduct attacks in exchange for a share of ransom payments.
Offering free decryptors may help reduce legal exposure or reputational risk, especially if the group anticipates public scrutiny or has lost control of its operations.
Victims should consult trusted cybersecurity firms or incident response teams before downloading or running any tool from a former threat actor's site.
Ransomware locks access to systems by encrypting data, while data extortion involves stealing sensitive information and threatening to leak it unless paid.
Yes. Agencies like the FBI track group infrastructure, tactics, and code reuse, which often leads to attribution even when names and branding change.c