Hunters International arrived in October 2023 trailing credible reports that the group had acquired Hive ransomware’s source code — or was, in some configurations, a direct continuation of Hive personnel following the FBI and Europol takedown of Hive’s infrastructure in January 2023. The group denied a direct connection, but the code similarity was documented extensively by researchers at Bitdefender and others: the Rust-based encryptor shared structural characteristics with late-stage Hive variants that were difficult to attribute to independent development.
Whether Hunters International is a Hive successor, a Hive splinter, or a well-resourced new entrant that acquired the code, the operational result was the same — a sophisticated RaaS operation with mature tooling from day one, which accelerated their victim count during a period when other groups were still building infrastructure.
Operational History
The group maintained a conventional double-extortion posture through 2024: encrypt the victim’s environment, exfiltrate data, demand ransom, threaten publication. Their victim count reached into the hundreds across healthcare, manufacturing, financial services, and technology sectors, with a notable concentration in US and UK healthcare that drew regulatory attention.
In late 2024, Hunters International made an announcement that appeared on the surface to be a retirement: they would be winding down ransomware operations and releasing decryptors for victims who had not yet paid. This pattern — announced retirement before a major law enforcement action, or before transitioning to a new operational model — has become common enough in the ransomware ecosystem to be treated with scepticism.
The scepticism proved warranted. By early 2025, activity under the “World Leaks” brand emerged, operated by what researchers assess with moderate-to-high confidence to be the same core team. World Leaks runs a pure data extortion model: breach, exfiltrate, threaten to publish, no encryption component. This shift reflects a broader trend among sophisticated operators — encryption is operationally expensive (it requires developing and maintaining encryptors for Windows, Linux, and VMware), it causes visible disruption that accelerates incident response, and it exposes operators to charges with higher maximum sentences in most jurisdictions than data theft alone.
Technical Profile
Initial Access: Hunters International affiliates have used a diverse initial access toolkit. Documented vectors include:
-
Typosquatting for IT tool delivery: A 2025 campaign distributed malware via a domain mimicking Angry IP Scanner (angryip[.]org), a legitimate network scanning tool used by IT administrators. The fake domain served a trojanized installer that deployed a loader subsequently used to deliver the main payload. This targeting of IT operations staff — who are more likely to download scanning tools and often have elevated privileges — is an increasingly common initial access pattern.
-
Phishing with credential-harvesting lures: Spear-phishing targeting HR, finance, and IT support roles with lures claiming to be HR policy updates, software license notifications, or IT helpdesk communications.
-
RDP brute force and credential reuse: Exposure of RDP on internet-facing systems remains a persistent initial access vector, particularly for smaller healthcare and manufacturing targets with limited perimeter visibility.
Tooling and Lateral Movement: Post-access activity follows established patterns — Mimikatz or similar for credential harvesting, Cobalt Strike or Sliver for C2, living-off-the-land binaries for lateral movement and discovery. Backup enumeration and deletion (VSS shadow copies, Windows Server Backup) is systematic before any encryption or exfiltration phase.
Encryptor: The Rust-based encryptor (used during the encryption-phase operations) appended variable extensions to encrypted files and dropped ransom notes with negotiation instructions. The Rust implementation provides the performance characteristics needed for large environment encryption and complicates signature-based detection compared to C/C++ implementations.
Data Exfiltration: Rclone remains the tool of choice for staging and exfiltrating data to cloud storage. MEGASync has also been observed. Exfiltration targets prioritise databases, financial records, HR data, and patient records — data with high extortion leverage.
Healthcare Targeting: Why It Persists
Hunters International’s healthcare focus aligns with a broader sector targeting rationale that has driven multiple groups to similar choices:
Patient data has asymmetric extortion value — it includes PHI protected under HIPAA in the US, data protection regulations in the UK and EU, and carries reputational harm that executives are highly motivated to prevent. The combination of financial penalty risk (ICO enforcement for UK organisations, OCR penalties for US entities) and patient harm implications creates negotiating leverage that is more reliable than in other sectors.
Healthcare organisations also tend to operate on compressed security budgets relative to their data value, maintain complex OT/IT environments with long-lived systems, and have genuine operational disruption risk (patient care impact) that increases the urgency of resolution — shortening the negotiating timeline in the attacker’s favour.
Current Status: World Leaks Operations
Under the World Leaks brand, the pure extortion model has shifted the operational risk calculation. Without the encryption component, victims face data exposure risk rather than operational disruption. Organisations that have robust encrypted backups and tested recovery procedures — which would mitigate the impact of encryption-based attacks — must now focus on whether their data exfiltration detection and response capabilities are equally mature.
Detection and Response Considerations
For organisations in healthcare, manufacturing, and financial services:
- Monitor for Rclone execution on file servers and systems with broad data access. Rclone is rarely legitimately used in these environments; any execution should be investigated immediately.
- Alert on large outbound data transfers to cloud storage providers (MEGA, Backblaze, Wasabi). Baseline your normal egress patterns and alert on deviations.
- Monitor for typosquatting domains in DNS query logs related to commonly used IT tools — scanner utilities, remote management tools, helpdesk software.
- RDP exposure audit: any internet-exposed RDP represents initial access risk. Enforce VPN-only access or deploy network-level authentication.
World Leaks leak site monitoring should be included in your threat intelligence programme. Publication of victim data appears on the leak site before most victims receive notification of their own breach through other channels — early detection allows for faster response and regulatory notification within required windows.