Overview
Hunters International is a ransomware-as-a-service operation that surfaced in October 2023 in the immediate aftermath of the FBI and international law enforcement takedown of the Hive ransomware network. Crucially, Hunters International did not build from scratch: the group obtained Hive’s source code and infrastructure directly from former Hive operators, refactoring it in Rust with improved key management and encryption logic.
By July 2025, the group announced it was dissolving operations and releasing free decryption tools — a claim that was largely a rebrand. The operation continues under the alias World Leaks, having abandoned encryption-based ransomware in favour of data theft and pure extortion. The pivot reflects a broader trend among sophisticated ransomware actors: data exfiltration alone is sufficient leverage, and avoiding the noise and law enforcement attention that accompanies mass encryption extends operational longevity.
Origins: The Hive Inheritance
The FBI disrupted Hive in January 2023 after a seven-month covert infiltration of the group’s infrastructure, during which federal agents provided decryption keys to over 300 current victims and 1,000 previous victims, preventing approximately $130 million in ransom payments. Within nine months, Hunters International appeared with tooling that shared significant code overlap with Hive’s encryptor.
Security researchers at Bitdefender and Group-IB independently assessed that Hunters International acquired Hive source code directly rather than independently developing similar capabilities. The group publicly acknowledged using “improved” Hive code while denying a formal relationship with Hive’s former leadership.
The inheritance gave Hunters International an operational head start: proven ransomware tooling, an existing affiliate recruitment model, and an understanding of Hive’s victim selection and negotiation approaches.
Targeting and Victim Profile
Hunters International has claimed victims in approximately 30 countries, with the United States accounting for the highest concentration. The group’s victim selection is opportunistic rather than narrowly sectoral — they target organisations with demonstrable willingness to pay (sensitive data, operational disruption potential) rather than focusing on a single vertical.
Confirmed sectors include healthcare, manufacturing, financial services, automotive, logistics, and education. Healthcare targeting has been particularly notable given its regulatory sensitivity: victims include hospitals and health systems where data exposure involves patient records protected under HIPAA, creating compounded pressure from both data exposure and regulatory enforcement.
High-profile claimed victims include Tata Technologies (1.4TB of data, 2025) and subsequent targets in the Apple and Tesla supply chains via World Leaks, demonstrating access to enterprise manufacturing and technology sector data.
Technical Profile
Ransomware (pre-World Leaks pivot)
The Hunters International encryptor was developed in Rust, chosen for cross-platform compilation and performance. The Linux variant specifically targeted VMware ESXi hypervisors, consistent with the industry-wide shift toward hypervisor-level encryption that maximises impact per deployment.
Notable characteristics:
- No file extension appended to encrypted files (unlike many ransomware families that add their own extension)
- No ransom note embedded in encrypted directories in the initial variant — ransom note delivery was separated from the encryption process
- Command-line configuration: operators could specify file type inclusion/exclusion lists, target directories, and network share enumeration behaviour at deployment time
- Key management improvement over Hive: per-file encryption keys are asymmetrically protected, preventing decryption without the attacker’s private key even if the malware binary is analysed
SharpRhino RAT
For initial access and persistence, Hunters International developed and deployed SharpRhino, a Remote Access Trojan written in C#. SharpRhino disguises itself as legitimate tools including network scanning utilities (the documented initial delivery was a fake Angry IP Scanner installer) to target IT and security professionals who are likely to be searching for network diagnostic tools.
SharpRhino capabilities:
- Persistent backdoor via scheduled task or registry run key
- Command execution
- File upload and download
- Process injection
- Screenshot capture
Targeting IT and security personnel specifically is a deliberate tactic: those accounts frequently have elevated privileges, access to administrative tools, and knowledge of the environment’s architecture — reducing the lateral movement work required to reach high-value targets.
World Leaks (current operational model)
Under the World Leaks brand, Hunters International has abandoned encryption entirely. The operational model is:
- Initial access via phishing, credential stuffing, or exploitation of internet-facing systems
- Establish persistence (SharpRhino or other backdoors)
- Conduct extensive data exfiltration over days to weeks
- Ransom demand based on data exposure threat
- Publish data on the World Leaks leak site if demands are unmet
This model reduces the attacker’s operational noise considerably: no encryption event means no mass failure alert, no SOC response triggered by volume-based ransomware detection, and extended dwell time while data is staged for exfiltration. It also eliminates the risk of law enforcement seizing decryption keys — there are no keys to seize.
Initial Access Methods
Hunters International uses a mix of initial access techniques:
- Phishing and spear-phishing: particularly effective against manufacturing and logistics targets with high email volumes and less-sophisticated phishing training
- Exploitation of internet-facing vulnerabilities: VPN appliances (Fortinet, Cisco, Palo Alto) and RDP have all appeared in attributed intrusions
- Credential purchase from Initial Access Brokers: consistent with the M-Trends 2026 finding that prior compromise now accounts for 30% of ransomware initial access
- Social engineering targeting IT help desks: following the Scattered Spider model documented in the UNC3944 profile
Ransom Demands and Negotiation Behaviour
Hunters International operates a negotiation portal accessible via Tor. Observed ransom demands range from approximately $100,000 to over $2 million, calibrated to the victim’s apparent revenue and data sensitivity. The group publishes a countdown timer on the leak site, with partial data publication occurring before the deadline to demonstrate the credibility of the threat.
The group has demonstrated willingness to negotiate and has accepted payments below initial demands. It has also shown a pattern of re-extortion: victims who pay have reported subsequent contact demanding additional payment for data deletion confirmation — which the group cannot credibly guarantee regardless of payment.
Detection and Mitigation Priorities
Hunters International’s current World Leaks model means the primary detection window is during the data exfiltration phase rather than at encryption. Defenders should:
Monitor large-scale outbound data transfers: exfiltration of gigabytes to cloud storage services (Mega, cloud-based file sharing), particularly from accounts that don’t normally access those services, is the primary behavioural indicator.
Detect SharpRhino persistence mechanisms: look for scheduled tasks or registry run keys pointing to executables in user-writable directories, particularly those whose names mimic legitimate network utilities.
Monitor for large-scale authentication from service accounts: lateral movement toward high-value data repositories (SharePoint, file servers, databases) using service accounts or admin credentials from non-standard workstations.
Implement egress filtering: block outbound connections to file-sharing services at the perimeter unless explicitly required for business function. Restrict outbound connections on ports not required for business operations.
The absence of encryption in the World Leaks model makes recovery faster than traditional ransomware incidents — systems remain operational. But data exposure liability can be more severe, particularly in healthcare and financial services where regulatory notification obligations apply to exfiltration events regardless of whether encryption occurred.