Hunters International Ransomware Gang Rebrands as World Leaks

Hunters International ransomware gang closes after 55 confirmed and 199 unconfirmed cyberattacks. Read about its rebrand to World Leaks and its impact on healthcare and businesses.

A prominent ransomware-as-a-service group ‘Hunters International’ has officially declared its shutdown, effective today, July 4, 2025. Active for approximately two years, and speculated to be a revival or successor to the notorious Hive Ransomware (dismantled by global law enforcement in January 2023 after extorting over $100 million), Hunters International gained notoriety for its double extortion tactics.

This involved both encrypting victim data and stealing it for public release if a ransom wasn’t paid. However, security researchers have indicated that this closure is less a retirement and more a strategic junction, with the group already operating under a new name: World Leaks.

Comparitech researchers have investigated and confirmed 55 ransomware attacks claimed by Hunters International, with an additional 199 unconfirmed claims. These confirmed breaches resulted in the compromise of at least 3.25 million personal records.

The healthcare sector was particularly hard hit, accounting for 2.9 million of those compromised records across 19 attacks on hospitals and clinics. Businesses saw 55 confirmed attacks, with manufacturers being the most frequent target (12 attacks). Government entities and schools also fell victim, with 16 and 2 confirmed attacks, respectively.

Hunters International rarely made its ransom demands public. However, two notable instances emerged: Hoya Corporation in Japan was hit with a $10 million demand in March 2024, and Azienda USL di Modena in Italy refused to pay a $3 million ransom in November 2023.

Some of the largest data breaches attributed to Hunters International in the US include Fred Hutchinson Cancer Centre (1,840,927 people affected in November 2023), Omni Family Health (468,344 people in August 2024), and Arisa Health (375,436 people in March 2024). In a daring move, Hunters even contacted individual patients from Fred Hutchinson Cancer Centre, demanding $50 to delete their stolen data.

This RaaS operation claimed 24 victim organizations only in November 2024, Forescout reports, with an average of one per day (10 in the US, 2 in the UK, 7 in the EU, 3 in South America, and 2 in Asia).

Threat intelligence firm Group-IB reported in April 2025 that Hunters International was in the process of rebranding to World Leaks. This new operation focuses solely on data theft and extortion, abandoning the encryption aspect of traditional ransomware.

Rebecca Moody, Head of Data Research at Comparitech, commented on this shift, suggesting it’s not a change of heart but rather a move towards a “potentially more lucrative” revenue stream in data theft. She noted that World Leaks is “not a ransomware gang” as the “ware” (encryption) is critically missing from their attacks.

World Leaks has already claimed responsibility for 33 attacks, including on Chain IQ (Switzerland) and Freedom Healthcare in Colorado. In a surprising development, Hunters International has stated it will offer free decryption software to companies that were infected by its ransomware but have not yet paid a ransom.

However, Moody believes many victims will have already restored their systems, rendering the offer largely symbolic given the group’s inactivity in new encryption attacks since May 2025. Nonetheless, this transition marks a significant evolution in the cybercrime community, with data extortion becoming an increasingly prevalent and targeted threat.