In a significant development within the ransomware ecosystem, cybersecurity researchers have linked the Hunters International operation to the infamous Hive ransomware group.
Emerging in October 2023, Hunters International is suspected to be a rebranded version of Hive, which was dismantled by law enforcement earlier that year.
The group has been observed targeting Windows, Linux, FreeBSD, SunOS, and ESXi systems across multiple industries, including healthcare, real estate, and professional services, in regions such as North America, Europe, and Asia.
Evidence suggests that Hunters International may have acquired Hive’s source code and operational infrastructure.
This includes their ransomware software and web application, enabling them to continue sophisticated attacks.
Despite denying direct rebranding claims, underground forums and affiliate communications have frequently referred to the group as “Hive” in Russian.
The operation focuses heavily on data exfiltration rather than encryption as its primary objective.
Advanced Techniques and Tools
Hunters International employs a range of advanced tools and techniques to execute its operations. A key innovation is their proprietary “Storage Software,” which facilitates the collection and categorization of metadata from exfiltrated files.
According to the Report, this tool supports both Windows and Linux environments and utilizes SOCKSv5 proxies for secure communication via Tor networks.
Notably, the ransomware no longer renames encrypted files or drops ransom notes tactics aimed at reducing visibility and avoiding detection by victims’ employees or security teams.
The ransomware itself is highly versatile, compatible with x64, x86, and ARM architectures.
It includes features like automatic disk partition mounting and command-line options for execution delay as an anti-analysis measure.
On ESXi systems, it targets virtual machine directories by default and can halt running virtual machines during encryption.
Shift to Extortion-Only Operations
In late 2024, Hunters International announced plans to cease operations due to increasing law enforcement pressure and declining profitability in ransomware activities.
However, by January 2025, the group resurfaced under a new banner World Leaks shifting its focus entirely to extortion-only attacks.
This new operation leverages a custom-built exfiltration tool designed for automating data theft from victim networks.
Unlike traditional ransomware attacks that involve file encryption alongside data theft (double extortion), World Leaks exclusively relies on exfiltration and subsequent threats of public disclosure to coerce victims into payment.
This strategic pivot reflects a broader trend in the cybercrime landscape toward stealthier extortion methods.
The activities of Hunters International underscore the evolving tactics employed by ransomware groups in response to global law enforcement actions and regulatory measures.
By abandoning ransom notes and encryption markers, these groups aim to minimize detection risk while maximizing leverage over their victims through targeted extortion campaigns.
The transition from double extortion to exfiltration-only models also highlights a growing emphasis on operational security among threat actors.
As seen with World Leaks’ development of undetectable tools and streamlined exfiltration processes, cybercriminals are increasingly prioritizing efficiency and anonymity in their operations.
Organizations must remain vigilant against such threats by implementing robust cybersecurity measures, including network segmentation, regular backups, and employee training on phishing awareness.
Furthermore, collaboration between governments and private entities is crucial for disrupting these sophisticated criminal networks.
Find this Story Interesting! Follow us on LinkedIn, and X to Get More Instant Updates
