A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims – but cyber experts warn it's not exactly a 'gesture of goodwill'

Ransomware concept image showing computer screen with binary code, with a skull imprinted over code.

(Image credit: Getty Images)

published 4 July 2025

The notorious Hunters International ransomware group has announced it’s shutting down and is offering a parting gift for its victims.

"After careful consideration and in light of recent developments, we have decided to close the Hunters International project,” the group said in a post on its dark web page.

The statement noted that the "decision was not made lightly", while the hackers behind the group recognized the impact attacks have had on victim organizations in recent years.

As part of its reconciliation efforts, the group said it plans to give free decryptor keys to anyone that had been hit by is ransomware.

“Our goal is to ensure that you can recover your encrypted data without the burden of paying ransoms," they said.

Hunters International is going through a rebrand

Hunters International emerged two years ago and has since carried out a range of attacks, targeting a US cancer center and Tata Technologies. The group claimed to have breached the US Marshals Service, although this was denied by the law enforcement agency.

The group's decision was signposted back in April, when it said that ransomware had become 'unpromising, low-converting, and extremely risky'.

But organizations shouldn't rest too easy, according to Dray Agha, senior manager of security operations at Huntress. Indeed, the group is essentially rebranding under a new name and will adopt new tactics moving forward.

"While Hunters International frames their shutdown as a ‘gesture of goodwill,’ this is likely a strategic rebrand - not repentance - as they have morphed into the group ‘World Leaks’, an extortion-only operation," Agha said.

World Leaks operates on an extortion-only model, with data held to ransom without file encryption. It emerged earlier this year as a side project from Hunters International and operates four platforms.

These include a main data leak site, a negotiation site for ransom payments, an insider platform for journalists and media, and an affiliate panel for cyber criminals.

The move to focus entirely on World Leaks isn't surprising, said Daniel dos Santos, senior director and head of research at Forescout.

He noted that ransomware groups often rebrand and it was already known that Hunters was operating in data exfiltration under the World Leaks name. Crucially, what this does suggest is that the cyber criminals behind the operation are becoming increasingly wary of law enforcement crackdowns.

"Their move from data encryption to pure data exfiltration is more interesting, as it confirms that ransomware gangs are well aware that law enforcement activity against ransomware is likely to increase, with the fight against these gangs ‘moving from the virtual to the real plane’ in their own words,” he said.

“This could be good news for healthcare operators, manufacturing companies, retailers, and others that often had to stop operations in the past half decade."

Santos warned that victims shouldn't be too optimistic when it comes to getting their hands on their free decryptor.

"Our recent analysis of ransomware negotiations has shown that even when victims pay for decryptors, these tools often do not work, and cybercriminals offer little in terms of ‘customer support'," he said. "I don’t expect that a freely released decryptor would work 100% of the time.”

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

MORE FROM ITPRO

TOPICS

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.