Ransomware Group “Hunters International” Shuts Down, Offers Decryption Keys to Victims

In an unusual move, the ransomware group Hunters International has announced it is shutting down operations and offering decryption keys to all of its previous victims.

The announcement came Thursday morning via the gang’s dark web site, which has since been wiped of all leaked data. In their final message, the group stated:

“After careful consideration and in light of recent developments, we have decided to close the Hunters International project.”

No specific reasons were given, though the group has previously described ransomware as increasingly risky, unprofitable, and under global pressure due to growing legal and political consequences.

Back in April, the group admitted ransomware was becoming unsustainable, citing mounting enforcement pressure and the global trend of equating ransomware activity with terrorism. In their own words:

“The fight against ransomware is moving from the virtual to the real plane… Our chances of survival tend to be zero.”

Decryption Keys Offered — But Not Publicly

As a parting gesture, Hunters International says it will provide decryption tools to past victims who request them. These tools are not available publicly. Victims are instructed to visit the group’s site (still accessible at the time of publication) to request access directly.

While rare, this isn’t unprecedented. Groups like Avaddon did the same in 2021 before rebranding and resurfacing under new names.

Experts: Don’t Trust the Farewell Message

Despite the professional tone of the statement, cybersecurity researchers remain skeptical. Analysts at Group-IB previously predicted that Hunters would rebrand into a new operation called World Leaks, which now appears to be active.

World Leaks operates under a different model: data extortion without encryption. Instead of locking victims’ files, the group steals sensitive data and demands payment under the threat of public exposure.

Its dark web site mirrors Hunters International in both structure and presentation, and currently lists more than 30 victims. In May, World Leaks even launched a media outreach campaign, inviting journalists to subscribe to early access alerts for upcoming leaks.

Legacy of Damage

Hunters International leaves behind a trail of high-impact attacks. The group was responsible for:

• Leaking pre-op images from a U.S. plastic surgery clinic
• Attacks on Tata Technologies and ICBC London
• Numerous healthcare and enterprise breaches across North America and Europe

While the group may be “retiring,” its tactics and infrastructure are likely being repurposed under a new name, as has been the pattern in past shutdowns.

Bottom Line

This so-called shutdown is likely a strategic shift, not a real exit. Rebranding, pivoting to pure extortion, or simply consolidating operations under a new banner — these are common plays in the ransomware ecosystem.

If you’re a past victim of Hunters International, consult with your response team before engaging with any entity offering decryptors.

This is not the end of the threat. It’s just another chapter.

Stay updated. Stay alert. And never take a ransomware gang at their word.