- 3,014
- 282
- 1,730
Group-IB experts have published a report on the activities of the extortionist hack group Hunters International. The hackers believe that the use of ransomware has become too risky and are changing their tactics.
According to Group-IB analysts, the group's leadership is currently preparing a new project that will be aimed exclusively at extortion and data theft. However, the old group is still active.
Researchers noted that back in November last year, the management of Hunters International announced to its team that the project was being closed, stating that the "rebranding" into World Leaks was already in full swing.
The World Leaks group launched a darknet website on January 1 of this year and is focused exclusively on stealing information, meaning it does not use ransomware. The group's tactics are based on stealing data and extracting maximum benefit from it by extorting ransom from victim companies or selling the information to those interested in it.
The problem is that ransomware is no longer profitable, and international law enforcement and investigators are paying too much attention to hackers.
In their November report, Hunters International wrote (spelling and punctuation preserved):
[td]"Despite the great efforts invested in the creation and joint development of the project, I and most of the partners decided that development in the Ransomware direction has become futile, low-convertible and excessively risky.
Changes are happening in the world now, one of them is the recognition of Ransomware as terrorism, and countries that contribute to it (or do nothing) as terrorist accomplice countries.
Such a status is unacceptable for most countries, as it has a negative impact on the external banking system. This means that the fight against ransomware is moving from the virtual to the real plane, and this time our own states are against us. The chances of survival, in such a situation, tend to zero.
<…>
Ransomware is a great topic, and by now it has already been fully worked out. Continuing to work in it means risking lives: your own and those of your loved ones. Remember - we are not terrorists.
With our expert skills, we can achieve much more, return the desired conversion rate, and multi-million payments. Together we can do anything! See you soon![/td]As an example of law enforcement action, the message cites a criminal case opened in 2024 in Moscow against the creators of the anonymous payment system UAPS and the cryptocurrency exchange Cryptex.
However, a few weeks after the publication of this message, Hunters International returned and is still active today. Researchers suggest that there may have been a split in the group or some kind of deliberate or accidental confusion.
In any case, Group-IB specialists believe that rebranding to World Leaks is still possible, and despite some problems with the site (errors forced the administrators to close the site shortly after its launch), this project is alive, although so far the hackers have not claimed responsibility for any attacks.
World Leaks offers its members access to easy-to-use and difficult-to-detect data theft software, which connects via a proxy to an online control panel for the group's partners.
If Hunters International does abandon the use of ransomware, the group will join its many “colleagues” who have already taken similar steps. Information security experts have long noted a trend towards an increase in the number of criminals abandoning ransomware and preferring pure extortion.
For example, back in 2022, the Karakurt ransomware group abandoned encrypting its victims' data, and a year later, the BianLian hacker group did the same . Since then, new hackers have appeared on the scene who have been exclusively engaged in extortion from the very beginning. One example is the Mad Liberator group , which appeared about a year ago.
At the same time, it cannot be said that ransomware no longer brings profit to its operators. For example, a report from Sophos for 2024 states that the number of ransoms received by attackers related to data recovery increased by 2.6-5 times compared to the previous year.
According to Group-IB analysts, the group's leadership is currently preparing a new project that will be aimed exclusively at extortion and data theft. However, the old group is still active.
Researchers noted that back in November last year, the management of Hunters International announced to its team that the project was being closed, stating that the "rebranding" into World Leaks was already in full swing.
The World Leaks group launched a darknet website on January 1 of this year and is focused exclusively on stealing information, meaning it does not use ransomware. The group's tactics are based on stealing data and extracting maximum benefit from it by extorting ransom from victim companies or selling the information to those interested in it.
The problem is that ransomware is no longer profitable, and international law enforcement and investigators are paying too much attention to hackers.
In their November report, Hunters International wrote (spelling and punctuation preserved):
Changes are happening in the world now, one of them is the recognition of Ransomware as terrorism, and countries that contribute to it (or do nothing) as terrorist accomplice countries.
Such a status is unacceptable for most countries, as it has a negative impact on the external banking system. This means that the fight against ransomware is moving from the virtual to the real plane, and this time our own states are against us. The chances of survival, in such a situation, tend to zero.
<…>
Ransomware is a great topic, and by now it has already been fully worked out. Continuing to work in it means risking lives: your own and those of your loved ones. Remember - we are not terrorists.
With our expert skills, we can achieve much more, return the desired conversion rate, and multi-million payments. Together we can do anything! See you soon![/td]
However, a few weeks after the publication of this message, Hunters International returned and is still active today. Researchers suggest that there may have been a split in the group or some kind of deliberate or accidental confusion.
In any case, Group-IB specialists believe that rebranding to World Leaks is still possible, and despite some problems with the site (errors forced the administrators to close the site shortly after its launch), this project is alive, although so far the hackers have not claimed responsibility for any attacks.
World Leaks offers its members access to easy-to-use and difficult-to-detect data theft software, which connects via a proxy to an online control panel for the group's partners.
If Hunters International does abandon the use of ransomware, the group will join its many “colleagues” who have already taken similar steps. Information security experts have long noted a trend towards an increase in the number of criminals abandoning ransomware and preferring pure extortion.
For example, back in 2022, the Karakurt ransomware group abandoned encrypting its victims' data, and a year later, the BianLian hacker group did the same . Since then, new hackers have appeared on the scene who have been exclusively engaged in extortion from the very beginning. One example is the Mad Liberator group , which appeared about a year ago.
At the same time, it cannot be said that ransomware no longer brings profit to its operators. For example, a report from Sophos for 2024 states that the number of ransoms received by attackers related to data recovery increased by 2.6-5 times compared to the previous year.