Cybercrime Experts Greet Announcement With Skepticism
Hunters International said Thursday it closed shop, provoking skepticism among cybercrime experts who said it’s more likely the Russian-speaking hackers behind the ransomware group will start up again under a new brand name.
See Also: Beyond Replication & Versioning: Securing S3 Data in the Face of Advanced Ransomware Attacks
The group cited “recent developments” without elaboration in a missive posted to its leak site announcing “project closure” and a pledge to publish decryption keys for victims of its cryptolocking malware.
The closure announcement could mean Hunters hackers met a pre-set extortion earnings goal or that the group is facing mounting pressure from law enforcement, said Milivoj Rajić, head of threat intelligence at DynaRisk. But there’s nothing in the closure announcement that is a “clear indication of permanent shutdown,” he said.
The hackers behind Hunters have a history of shape-shifting. Many suspect Hunters itself is a rebrand of an earlier ransomware group called Hive, the subject of a 2023 multinational law enforcement takedown operation (see: FBI Seizes Hive Ransomware Servers in Multinational Takedown).
Analysts at cybersecurity firm Group-IB in April reported that Russian crime forum members still refer to Hunters as “Hive.” At one point, Hunters reacted to speculation about its origins by posting that it had bought Hive crypto-locking source code.
Hunters administrators in January already signaled they intended to move on from ransomware by starting a new effort called “World Leaks” that skips cryptolocking files in favor of direct data theft tied to extortion demands in exchange for a promise not to publish. The World Leaks leak website is still active.
“Ransomware groups often rebrand themselves,” said Daniel dos Santos, senior director, head of research at Forescout. Other ransomware groups that have made closure announcements include Ragnarok and BlackMatter (see: HHS HC3: BlackMatter Threat to Health Sector ‘Reduced’).
Hunters’ “move to pure data exfiltration confirms that ransomware gangs are well aware that law enforcement activity against ransomware is likely to increase,” dos Santos added.
Law enforcement pressure on ransomware has appreciably increased through operations that include server seizures and exposing cybercriminals’ true identities – causing a shakeup in the cybercriminal underground. More corporations resist paying digital extortion demands, but it’s not apparent that the disruptions have resulted in a decrease in the raw number of attacks (see: Vampire Cosplay and Brand Revival: Ransomware in 2025).
Hunters operated on an affiliate model and required hackers to log targets with them. Hunters provided affiliates with Storage Software, an exfiltration tool touted as capable of working through a proxy server. Affiliates also received cryptolocking software compatible with Windows- and Linux-based devices. If the victims paid the ransom, Hunters received a fifth of the payment.
Santos cautioned against putting too much stock into the group’s claim about publishing a decryptor. “Cybercriminals offer little in terms of ‘customer support.’ I don’t expect that a freely released decryptor would work 100% of the time,” Santos said.
