LIVE
LATEST THREAT: Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus THREAT ALERT ACTIVE
Intelligence DB / Group Profile Hunters International

Hunters International / World Leaks: From Hive Successor to Pure Extortion

Hunters International emerged in October 2023 as the direct successor to the FBI-disrupted Hive ransomware operation, inheriting its source code and RaaS infrastructure. By 2025, the group pivoted away from encryption entirely to operate as World Leaks — a data theft and extortion operation without ransomware. This profile covers the evolution, TTPs, victim statistics, and current threat posture.

By Ransomware Tracker ·
Hunters InternationalWorld LeaksHiveransomwaredata extortionSharpRhinoRustdouble extortionRaaShealthcaremanufacturing2026
Threat Level
8/10
Sectors Targeted
healthcare
manufacturing
financial-services
logistics
education
automotive
Ransomware Family
Hunters International

Overview

Hunters International is a ransomware-as-a-service operation that surfaced in October 2023 in the immediate aftermath of the FBI and international law enforcement takedown of the Hive ransomware network. Crucially, Hunters International did not build from scratch: the group obtained Hive’s source code and infrastructure directly from former Hive operators, refactoring it in Rust with improved key management and encryption logic.

By July 2025, the group announced it was dissolving operations and releasing free decryption tools — a claim that was largely a rebrand. The operation continues under the alias World Leaks, having abandoned encryption-based ransomware in favour of data theft and pure extortion. The pivot reflects a broader trend among sophisticated ransomware actors: data exfiltration alone is sufficient leverage, and avoiding the noise and law enforcement attention that accompanies mass encryption extends operational longevity.

Origins: The Hive Inheritance

The FBI disrupted Hive in January 2023 after a seven-month covert infiltration of the group’s infrastructure, during which federal agents provided decryption keys to over 300 current victims and 1,000 previous victims, preventing approximately $130 million in ransom payments. Within nine months, Hunters International appeared with tooling that shared significant code overlap with Hive’s encryptor.

Security researchers at Bitdefender and Group-IB independently assessed that Hunters International acquired Hive source code directly rather than independently developing similar capabilities. The group publicly acknowledged using “improved” Hive code while denying a formal relationship with Hive’s former leadership.

The inheritance gave Hunters International an operational head start: proven ransomware tooling, an existing affiliate recruitment model, and an understanding of Hive’s victim selection and negotiation approaches.

Targeting and Victim Profile

Hunters International has claimed victims in approximately 30 countries, with the United States accounting for the highest concentration. The group’s victim selection is opportunistic rather than narrowly sectoral — they target organisations with demonstrable willingness to pay (sensitive data, operational disruption potential) rather than focusing on a single vertical.

Confirmed sectors include healthcare, manufacturing, financial services, automotive, logistics, and education. Healthcare targeting has been particularly notable given its regulatory sensitivity: victims include hospitals and health systems where data exposure involves patient records protected under HIPAA, creating compounded pressure from both data exposure and regulatory enforcement.

High-profile claimed victims include Tata Technologies (1.4TB of data, 2025) and subsequent targets in the Apple and Tesla supply chains via World Leaks, demonstrating access to enterprise manufacturing and technology sector data.

Technical Profile

Ransomware (pre-World Leaks pivot)

The Hunters International encryptor was developed in Rust, chosen for cross-platform compilation and performance. The Linux variant specifically targeted VMware ESXi hypervisors, consistent with the industry-wide shift toward hypervisor-level encryption that maximises impact per deployment.

Notable characteristics:

  • No file extension appended to encrypted files (unlike many ransomware families that add their own extension)
  • No ransom note embedded in encrypted directories in the initial variant — ransom note delivery was separated from the encryption process
  • Command-line configuration: operators could specify file type inclusion/exclusion lists, target directories, and network share enumeration behaviour at deployment time
  • Key management improvement over Hive: per-file encryption keys are asymmetrically protected, preventing decryption without the attacker’s private key even if the malware binary is analysed

SharpRhino RAT

For initial access and persistence, Hunters International developed and deployed SharpRhino, a Remote Access Trojan written in C#. SharpRhino disguises itself as legitimate tools including network scanning utilities (the documented initial delivery was a fake Angry IP Scanner installer) to target IT and security professionals who are likely to be searching for network diagnostic tools.

SharpRhino capabilities:

  • Persistent backdoor via scheduled task or registry run key
  • Command execution
  • File upload and download
  • Process injection
  • Screenshot capture

Targeting IT and security personnel specifically is a deliberate tactic: those accounts frequently have elevated privileges, access to administrative tools, and knowledge of the environment’s architecture — reducing the lateral movement work required to reach high-value targets.

World Leaks (current operational model)

Under the World Leaks brand, Hunters International has abandoned encryption entirely. The operational model is:

  1. Initial access via phishing, credential stuffing, or exploitation of internet-facing systems
  2. Establish persistence (SharpRhino or other backdoors)
  3. Conduct extensive data exfiltration over days to weeks
  4. Ransom demand based on data exposure threat
  5. Publish data on the World Leaks leak site if demands are unmet

This model reduces the attacker’s operational noise considerably: no encryption event means no mass failure alert, no SOC response triggered by volume-based ransomware detection, and extended dwell time while data is staged for exfiltration. It also eliminates the risk of law enforcement seizing decryption keys — there are no keys to seize.

Initial Access Methods

Hunters International uses a mix of initial access techniques:

  • Phishing and spear-phishing: particularly effective against manufacturing and logistics targets with high email volumes and less-sophisticated phishing training
  • Exploitation of internet-facing vulnerabilities: VPN appliances (Fortinet, Cisco, Palo Alto) and RDP have all appeared in attributed intrusions
  • Credential purchase from Initial Access Brokers: consistent with the M-Trends 2026 finding that prior compromise now accounts for 30% of ransomware initial access
  • Social engineering targeting IT help desks: following the Scattered Spider model documented in the UNC3944 profile

Ransom Demands and Negotiation Behaviour

Hunters International operates a negotiation portal accessible via Tor. Observed ransom demands range from approximately $100,000 to over $2 million, calibrated to the victim’s apparent revenue and data sensitivity. The group publishes a countdown timer on the leak site, with partial data publication occurring before the deadline to demonstrate the credibility of the threat.

The group has demonstrated willingness to negotiate and has accepted payments below initial demands. It has also shown a pattern of re-extortion: victims who pay have reported subsequent contact demanding additional payment for data deletion confirmation — which the group cannot credibly guarantee regardless of payment.

Detection and Mitigation Priorities

Hunters International’s current World Leaks model means the primary detection window is during the data exfiltration phase rather than at encryption. Defenders should:

Monitor large-scale outbound data transfers: exfiltration of gigabytes to cloud storage services (Mega, cloud-based file sharing), particularly from accounts that don’t normally access those services, is the primary behavioural indicator.

Detect SharpRhino persistence mechanisms: look for scheduled tasks or registry run keys pointing to executables in user-writable directories, particularly those whose names mimic legitimate network utilities.

Monitor for large-scale authentication from service accounts: lateral movement toward high-value data repositories (SharePoint, file servers, databases) using service accounts or admin credentials from non-standard workstations.

Implement egress filtering: block outbound connections to file-sharing services at the perimeter unless explicitly required for business function. Restrict outbound connections on ports not required for business operations.

The absence of encryption in the World Leaks model makes recovery faster than traditional ransomware incidents — systems remain operational. But data exposure liability can be more severe, particularly in healthcare and financial services where regulatory notification obligations apply to exfiltration events regardless of whether encryption occurred.

// Related Intelligence
Group Profile

Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus

Group Profile

Underground Ransomware: Group Profile

Group Profile

Termite Ransomware: Group Profile, Babuk Origins, and High-Impact Supply Chain Targeting