Hunters International: A Deep Dive Into The Evolution Of A Stealthy Ransomware Group

The evolution of Hunters International ransomware group showcases the significant shifts in its operational tactics, tools, and strategies over its brief but impactful existence.

Hunters International’s evolution is a reflection of the broader shifts occurring in the cybercrime landscape. Global actions against ransomware groups and increased scrutiny by governments pushed the group to adapt quickly, transitioning from a ransomware-based model to a stealthier, data-centric extortion operation.

Despite its announcement of closing down in late 2024, the group remains active, now under the guise of World Leaks, continuing to operate in a rapidly changing and challenging cybercrime ecosystem.

Severity Level: High

THREAT DETAILS

1. Early Stages and Emergence
   • The group’s activity was first observed on October 13, 2023, when an English company was listed on their Data Leak Site (DLS). Shortly after, the first version of their ransomware was spotted on VirusTotal from a German IP.
   • It was suspected that Hunters International was a rebranding of the Hive ransomware group, which had been disrupted by law enforcement earlier in 2023. However, the group’s administrator claimed to have purchased Hive’s source code, including the ransomware and its associated web application.
2. Ransomware Payload and Functionality
   Payload Characteristics:
   • Written in Go, C++, and occasionally Rust for cross-platform capabilities.
   • Multi-threaded encryption, rapid data scrambling, & use of ChaCha20+RSA hybrid schemes.
   • Target-specific customization: Different builds were compiled per victim environment.
   Operational Features:
   • Command-line execution with parameters for targeted drives/folders.
   • Avoidance of Windows core/system directories.
   • Use of WMI, PowerShell, and native tools for stealthy execution.
3. Initial Access and Exploitation
   • Phishing emails with malicious attachments (macro-enabled documents or ISO files).
   • Exploitation of known vulnerabilities, especially:
   CVE-2023-4966 (Citrix Bleed) – widespread in their later campaigns.
   Fortinet, SonicWall, and Microsoft Exchange server weaknesses.
4. Post-Exploitation Activity
   • Credential dumping via Mimikatz and LSASS scraping.
   • Lateral movement using SMB, PsExec, and RDP.
   • Deployment of Cobalt Strike beacons and AnyDesk for persistent access.
   • Usage of rclone and MEGA cloud services for stolen data staging.
   • Files were exfiltrated before encryption to facilitate double extortion.
5. Rebranding to World Leaks (January 2025)
   Shift to Extortion-Only Attacks: In January 2025, Hunters International rebranded itself to World Leaks, marking a shift from ransomware attacks to pure data exfiltration and extortion. This shift reflected the growing trend of ransomware groups moving away from encryption-based attacks to focus solely on exfiltrating sensitive data and leveraging it for financial gain.
6. Affected Regions
   North America, Europe, Asia, Africa, South America, Oceania, Central America, Middle East, The Caribbean.
7. Affected Sectors
   Real Estate, Heath Care, Professional, Financial Services, Government, Energy, Science, Education, Natural Resources, Non-profit, Privacy and Security, Design.

Recommendations:

1. Conduct frequent vulnerability assessments and ensure all systems are patched regularly.
2. Use DLP solutions to detect and block any unauthorized data exfiltration.
3. Enforce MFA for all remote access systems, privileged accounts, and internal systems to prevent unauthorized access, particularly for critical infrastructure and sensitive data.
4. Enforce application allowlisting to block unauthorized executables, such as unsigned PowerShell scripts and lateral movement tools.
5. Monitor for the creation of shadow copies being deleted (vssadmin delete shadows)—a common ransomware tactic.
6. Conduct frequent phishing simulation tests and mandatory training.
7. Alert on macro-enabled Office file execution (e.g., .docm, .xlsm) with child processes like cmd.exe, powershell.exe
8. Flag memory access to lsass.exe by non-standard tools.
9. Monitor for file drops with .hunters extension.
10. Flag suspicious process injections between svchost.exe and third-party binaries.
11. Flag creation of abnormal services with random names or executable paths in AppData.
12. Block the IOCs at their respective controls

SOURCES:

• https://www.virustotal.com/gui/collection/63ae073664b5868efe80c9e77ae1b9f3f80616519d31fb330a7798530e9e842a/iocs
• https://www.group-ib.com/blog/hunters-international-ransomware-group/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.