One of the biggest ransomware gangs around is shutting down - but is it for good?

A digital themed isometric showing a neon padlock in the foreground, and a technological diagram of a processor logic board in the background.
(Image credit: Shutterstock / JLStock)

  • Hunters International struck many private and public entities, including Tata and Telecom Namibia
  • The group says it is disbanding "in light of recent events"
  • It even released decryption keys for their victims

A major ransomware operation has announced a complete shutdown and the public release of decryption keys - however, some are skeptical that this is the last we’ve seen of this particular group.

The operators, known as Hunters International, published a short announcement on their dark web site, notifying their followers, affiliates, and the wider cybercriminal community, that they will no longer operate.

“After careful consideration and in light of recent developments, we have decided to close the Hunters International project,” the announcement reads. “This decision was not made lightly, and we recognize the impact it has on the organizations we have interacted with.”

Get 55% off Incogni's Data Removal service with code TECHRADAR

Get 55% off Incogni's Data Removal service with code TECHRADAR

Wipe your personal data off the internet with the Incogni data removal service. Stop identity thieves
and protect your privacy from unwanted spam and scam calls.

Callback phishing

While the group mentions “recent developments”, it doesn’t elaborate, so we don’t know if this means they were seized by law enforcement, or they simply extorted enough money to call it quits.

TechCrunch, on the other hand, believes there could be a third option - a smoke-and-mirrors effort to throw the police off. Discussing the matter with threat intelligence analyst from Recorded Future, Allan Liska, TechCrunch learned the group might be rebranding to World Leaks.

“I think this is more of a ‘cutting of ties’ with the old infrastructure,” Liska told the publication. This wouldn’t be the first group that rebranded to try and hide their tracks.

After the Colonial Pipeline attack, DarkSide, rebranded into BlackMatter, and later Alphv/BlackCat, and REvil (Sodinokibi) was preceded by GandCrab.

As for releasing decryption keys, while commendable, it doesn’t mean much for the attackers, Liska argues. These are mostly older victims who had no intention of paying anyway, so for the group - nothing was lost.

“As far as releasing decryption keys, at this point they aren’t likely to make any money from any Hunters’ victims who are still out there, so they probably see it as a gesture that doesn’t really cost them anything,” Liska concluded.

You might also like

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.