Full Report
Some admins of Hunters International are now part of the encryption-less cyber extortion group World Leaks
Analysis Summary
# Threat Actor: Hunters International / World Leaks (Likely Rebrand)
## Attribution & Identity
* **Primary Identity:** Hunters International (Ransomware-as-a-Service - RaaS).
* **Associated Groups:** Linked to the dismantled RaaS group **Hive**.
* **Known Aliases/Successors:** **World Leaks** (identified as a likely successor or rebranding effort involving former Hunters International administrators).
* **Internal Dynamics:** Potential split within the group, with one faction seemingly continuing encryption-less extortion under the World Leaks banner.
## Activity Summary
Hunters International announced its shutdown on June 3, claiming to offer free decryption software as a "gesture of goodwill." The group has been tracked since October 2023, claiming 307 victims. However, internal activity suggests a complex narrative:
1. **November 2024:** Operators reportedly discussed ending the project due to increased business risk and unprofitability.
2. **January 2025:** Operators reversed course, announcing the resumption of data encryption activities after issues with the new project, World Leaks.
3. **World Leaks Launch:** The group launched "World Leaks" on January 1, 2025, initially focused on encryption-less extortion attacks. World Leaks has claimed 31 victims since May 18, 2025.
4. **Observed Conflict:** World Leaks spokespeople indicated they separated from some Hunters International administrators over ideological differences regarding criminal business models (favoring data extortion over encryption/disruption).
*The final shutdown announcement by Hunters International appears to intentionally omit any mention of World Leaks to control the narrative and evade scrutiny.*
## Tactics, Techniques & Procedures
* **Ransomware Activity:** Historically conducted encryption-based cyber extortion (Double Extortion implied by linkage to Hive and general RaaS operations).
* **Rebranding/Evasion:** Used rebranding (to World Leaks) to shed the "ransomware label" and avoid scrutiny associated with the Hunters International name.
* **Extortion Model Shift:** World Leaks is utilizing **encryption-less extortion-only attacks** ("Data extortion is a much better business model because it doesn’t render companies inoperable").
* **Reputational Tactics:** Offering free decryption keys, assessed as a tactic to distance the original brand from the successor group rather than a genuine goodwill gesture.
## Targeting
* **Sectors:** Financial Services, Manufacturing/Aerospace (implied via Tata Technologies), Automotive (AutoCanada), Healthcare (US plastic surgeon's clinic).
* **Geography:** United States, United Kingdom (London), China.
* **Victims:**
* US plastic surgeon's clinic (October 2023)
* Industrial and Commercial Bank of China (ICBC) London subsidiary (September 2024)
* AutoCanada (September 2024)
* Tata Technologies (March 2025)
* Third-party supplier of **UBS** (June 2025, leading to 130,000 employee records being exposed).
## Tools & Infrastructure
* **Malware Families used:** Hunters International ransomware (specific family not detailed, but implied RaaS deployment).
* **Infrastructure (C2, domains, IPs):** Hunters International utilized a data leak site. World Leaks is established as a new operational entity. No specific technical infrastructure details (IPs/Domains) were provided beyond the platform names.
## Implications
The apparent shutdown of Hunters International highly likely signifies a strategic rebranding exercise to evade law enforcement attention and reputational fallout associated with previous activities. The emergence of World Leaks suggests a continuation of cyber extortion, potentially shifting focus toward less disruptive, but still damaging, data extortion models. Affiliates are expected to evolve their tactics.
## Mitigations
* Maintain vigilance against emerging extortion groups, particularly those that appear to rebrand (such as World Leaks).
* Focus defense strategies on data exfiltration monitoring, not just encryption indicators, given the observed shift to encryption-less extortion methods.
* Assume that stated intentions (like shutting down) by RaaS affiliates are tactical maneuvers designed to deceive or misdirect attribution efforts.