A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims – but cyber experts warn it's not exactly a 'gesture of goodwill'
The Hunters International ransomware group is rebranding and switching tactics


The notorious Hunters International ransomware group has announced it’s shutting down and is offering a parting gift for its victims.
"After careful consideration and in light of recent developments, we have decided to close the Hunters International project,” the group said in a post on its dark web page.
The statement noted that the "decision was not made lightly", while the hackers behind the group recognized the impact attacks have had on victim organizations in recent years.
30% off Keeper Security's Business Starter and Business plans
Keeper Security is trusted and valued by thousands of businesses and millions of employees. Why not join them and protect your most important assets while taking advantage of this special offer?
As part of its reconciliation efforts, the group said it plans to give free decryptor keys to anyone that had been hit by is ransomware.
“Our goal is to ensure that you can recover your encrypted data without the burden of paying ransoms," they said.
Hunters International is going through a rebrand
Hunters International emerged two years ago and has since carried out a range of attacks, targeting a US cancer center and Tata Technologies. The group claimed to have breached the US Marshals Service, although this was denied by the law enforcement agency.
The group's decision was signposted back in April, when it said that ransomware had become 'unpromising, low-converting, and extremely risky'.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
But organizations shouldn't rest too easy, according to Dray Agha, senior manager of security operations at Huntress. Indeed, the group is essentially rebranding under a new name and will adopt new tactics moving forward.
"While Hunters International frames their shutdown as a ‘gesture of goodwill,’ this is likely a strategic rebrand - not repentance - as they have morphed into the group ‘World Leaks’, an extortion-only operation," Agha said.
World Leaks operates on an extortion-only model, with data held to ransom without file encryption. It emerged earlier this year as a side project from Hunters International and operates four platforms.
These include a main data leak site, a negotiation site for ransom payments, an insider platform for journalists and media, and an affiliate panel for cyber criminals.
The move to focus entirely on World Leaks isn't surprising, said Daniel dos Santos, senior director and head of research at Forescout.
He noted that ransomware groups often rebrand and it was already known that Hunters was operating in data exfiltration under the World Leaks name. Crucially, what this does suggest is that the cyber criminals behind the operation are becoming increasingly wary of law enforcement crackdowns.
"Their move from data encryption to pure data exfiltration is more interesting, as it confirms that ransomware gangs are well aware that law enforcement activity against ransomware is likely to increase, with the fight against these gangs ‘moving from the virtual to the real plane’ in their own words,” he said.
“This could be good news for healthcare operators, manufacturing companies, retailers, and others that often had to stop operations in the past half decade."
Santos warned that victims shouldn't be too optimistic when it comes to getting their hands on their free decryptor.
"Our recent analysis of ransomware negotiations has shown that even when victims pay for decryptors, these tools often do not work, and cybercriminals offer little in terms of ‘customer support'," he said. "I don’t expect that a freely released decryptor would work 100% of the time.”
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- A major ransomware hosting provider just got hit US with sanctions
- The new ransomware groups worrying security researchers in 2025
- Ransomware victims are getting better at haggling with hackers
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.
-
Lenovo IdeaPad Slim 3x review
Reviews The Qualcomm Snapdragon X-powered laptop packs a punch for the price
-
The Builder.ai collapse should be a turning point in the age of AI hype
News Builder.ai was among one of the most promising startups capitalizing on the generative AI boom – until it all came crashing down
-
Using WinRAR? Update now to avoid falling victim to this file path flaw
News WinRAR users have been urged to update after a patch was issued for a serious vulnerability.
-
A major ransomware hosting provider just got hit US with sanctions
News Aeza Group's services were being used for ransomware, infostealers, and disinformation
-
Hackers are using PDFs to impersonate big brands like Microsoft and PayPal in a new threat campaign
News Hackers are increasingly using PDF attachments to impersonate major brands in phishing campaigns, according to new research from Cisco Talos.
-
UK firms are 'sleepwalking' into smart building cyber threats
News The convergence of operational technology and IT systems is posing serious risks for property firms.
-
Swiss government data published following supply chain attack – here’s what we know about the culprits
News Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
Ransomware victims are getting better at haggling with hackers
News While nearly half of companies paid a ransom to get their data back last year, victims are taking an increasingly hard line with hackers to strike fair deals.
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker group
News An analysis of May's SQL database dump shows how much LockBit was really making
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabs
News An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs