Hunters International, the high-profile ransomware-as-a-service (RaaS) that reportedly was rebranding to focus on data exfiltration and extortion-only operations and move away from data encryption, now says it is shutting down altogether.

Hunters International, which is believed to have emerged in 2023 from the notorious Hive group after it was dismantled by law enforcement agencies the year before, said on its dark web site Thursday that it is closing its operations.

The group didn’t say why it was shutting down – in the note, it referred only to “recent developments” – though it had posted a message in November 2024 saying it was closing down due to increased pressure from law enforcement operations. In addition, researchers from cybersecurity firm Group-IB wrote in April about the group’s rebranding into an extortion-only gang that was to be called World Leaks.

The researchers at the time speculated that the shift to an extortion-only strategy came after two years of operations by international law enforcements agencies disrupted the work of cybercriminals organizations, including Hive. There also was the push by the United States and other countries to tag ransomware groups as terrorist organizations and to ban ransom payments, which rattled the underground ransomware community, according to Group-IB.

An Evolving Operation

The RaaS group and its affiliates had been using double-extortion tactics up until then, exfiltrating data before encrypting it and using it as additional leverage to get the victims to pay the demand, with the victims numbering more than 200. They include such organizations as the U.S. Marshal’s Service, Tata Industries, and Integris Health in Oklahoma, with the targeted platforms spanning everything from Windows and Linux to VMware’s ESXi and FreeBSD.

Security professionals said it isn’t unusual for a threat group to shut down their operations, but added the bad actors behind Hunters International likely are not going away.

“When a ransomware group says they’re ‘shutting down,’ it’s probably not because they’ve come to their senses,” Chad Cragle, CISO of cyber resilience platform vendor Deepwatch, told Security Boulevard. “More likely, they’re changing jerseys and planning their next move under a new team name. ‘Recent developments’ could mean law enforcement’s getting close, profits are down, or they’re just shifting tactics, not suddenly growing a conscience.”

Making Amends?

The group also appears contrite, saying it is offering free decryption software for its victims, saying that it is doing so “as a gesture of goodwill and to assist those affected by our previous activities.”

It also reportedly removed the listings of victim names and data from its extortion portal.

“Our goal is to ensure that you can recover your encrypted data without the burden of paying ransoms,” the note states. “We understand the challenges that ransomware attacks pose, and we hope that this initiative will help you regain access to your critical swiftly and efficiently.”

The group said companies interested in the decryption software and that need guidance can visit Hunters International’s website.

Shutting Down, But Not Going Away

Closing an operation is a frequent event in the cybercriminal world, with some prominent groups doing it a few times a year, said Dave Tyson, chief intelligence officer at cybersecurity and IT solutions provider Apollo Information Systems, adding that some criminal forums were seized this year that Hunters International participated in and that exposed some of its affiliates to law enforcements.

“So, yes these tend to be legit,” Tyson said. “However, it should not be taken to be a surrender. It should be considered as more of a temporary exit, rebrand, and reshuffling of members to rebuild their anonymity and cache.”

He also noted that the number of ransomware attacks in the first and second quarters this year are continuing an uphill climb, even though revenue is slightly down. Given that, it’s likely that the Hunters International operators are protecting themselves now to get back into it soon.

Keep Alert

And despite the nod by the cybercriminals to noble causes and promises to make good on the damage they did to their victims, organizations need to be wary and keep their guard up.

“Those free decryption keys? Maybe they help, maybe they hurt,” Deepwatch’s Cragle said. “It’s like getting a USB in the mail labeled ‘bonuses.’” Could be legit, could wreck your day. Bottom line, don’t assume this is over. These crews rarely walk away for good. If you’re thinking about using those keys, proceed with caution, vet everything, or you might make a bad situation worse.”