A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims – but cyber experts warn it's not exactly a 'gesture of goodwill'
The Hunters International ransomware group is rebranding and switching tactics


The notorious Hunters International ransomware group has announced it’s shutting down and is offering a parting gift for its victims.
"After careful consideration and in light of recent developments, we have decided to close the Hunters International project,” the group said in a post on its dark web page.
The statement noted that the "decision was not made lightly", while the hackers behind the group recognized the impact attacks have had on victim organizations in recent years.
30% off Keeper Security's Business Starter and Business plans
Keeper Security is trusted and valued by thousands of businesses and millions of employees. Why not join them and protect your most important assets while taking advantage of this special offer?
As part of its reconciliation efforts, the group said it plans to give free decryptor keys to anyone that had been hit by is ransomware.
“Our goal is to ensure that you can recover your encrypted data without the burden of paying ransoms," they said.
Hunters International is going through a rebrand
Hunters International emerged two years ago and has since carried out a range of attacks, targeting a US cancer center and Tata Technologies. The group claimed to have breached the US Marshals Service, although this was denied by the law enforcement agency.
The group's decision was signposted back in April, when it said that ransomware had become 'unpromising, low-converting, and extremely risky'.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
But organizations shouldn't rest too easy, according to Dray Agha, senior manager of security operations at Huntress. Indeed, the group is essentially rebranding under a new name and will adopt new tactics moving forward.
"While Hunters International frames their shutdown as a ‘gesture of goodwill,’ this is likely a strategic rebrand - not repentance - as they have morphed into the group ‘World Leaks’, an extortion-only operation," Agha said.
World Leaks operates on an extortion-only model, with data held to ransom without file encryption. It emerged earlier this year as a side project from Hunters International and operates four platforms.
These include a main data leak site, a negotiation site for ransom payments, an insider platform for journalists and media, and an affiliate panel for cyber criminals.
The move to focus entirely on World Leaks isn't surprising, said Daniel dos Santos, senior director and head of research at Forescout.
He noted that ransomware groups often rebrand and it was already known that Hunters was operating in data exfiltration under the World Leaks name. Crucially, what this does suggest is that the cyber criminals behind the operation are becoming increasingly wary of law enforcement crackdowns.
"Their move from data encryption to pure data exfiltration is more interesting, as it confirms that ransomware gangs are well aware that law enforcement activity against ransomware is likely to increase, with the fight against these gangs ‘moving from the virtual to the real plane’ in their own words,” he said.
“This could be good news for healthcare operators, manufacturing companies, retailers, and others that often had to stop operations in the past half decade."
Santos warned that victims shouldn't be too optimistic when it comes to getting their hands on their free decryptor.
"Our recent analysis of ransomware negotiations has shown that even when victims pay for decryptors, these tools often do not work, and cybercriminals offer little in terms of ‘customer support'," he said. "I don’t expect that a freely released decryptor would work 100% of the time.”
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- A major ransomware hosting provider just got hit US with sanctions
- The new ransomware groups worrying security researchers in 2025
- Ransomware victims are getting better at haggling with hackers
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.
-
Oracle’s European investment drive continues in Germany and the Netherlands
News Oracle is once again ramping up investment across Europe, this time targeting multi-billion-dollar deals in the Netherlands and Germany.
-
Meta working on a 5GW data center to supercharge AI infrastructure
News Mark Zuckerberg detailed plans for a huge infrastructure investment program in a post on Threads earlier this week – here's what you need to know.
-
MSPs emerge as key security partners for mid-market enterprises
News The MSP Customer Insight Report reveals 85% of mid-sized organizations now rely on MSPs for security support
-
Application layer DDoS attacks are skyrocketing – here's why
News The industry is seen as a prime target thanks to a reliance on online services and real-time transactions
-
Arrests made after huge HMRC scam campaign hit 100,000 accounts
News The Romanian nationals are accused of having used stolen data to make fraudulent claims
-
The ransomware boom shows no signs of letting up – and these groups are causing the most chaos
News Thousands of ransomware cases have already been posted on the dark web this year
-
Ingram Micro cyber attack: IT distributor says system restoration underway – but some customers might have to wait for a return to normality
News Ingram Micro is gradually getting back on its feet after a recent cyber attack severely disrupted systems.
-
M&S chair calls for mandatory reporting of cyber attacks after "traumatic" ransomware incident – but will it do more harm than good?
News M&S chair Archie Norman has called for mandatory reporting amid claims two large UK companies were hacked without any public knowledge.
-
Arrests made in hunt for hackers behind cyber attacks on M&S and Co-op
News The suspects remain in custody for questioning by officers from the NCA's National Cyber Crime Unit
-
Ransomware attacks carry huge financial impacts – but CISO worries still aren’t stopping firms from paying out
News Increased anxiety over ransomware links directly to its devastating impact on business processes and one’s bottom line