Hunters International ransomware was first reported in October 2023 and operated in the double extortion method, where victim data is stolen and leaked via a data leak site if the ransom demand is not paid; however, the group reportedly dropped the encryption portion of their operation.
In November 2024, the Hunters International operators released an internal note to their partners that appeared to be a farewell letter. The statement indicated that the ransomware business has become too risky and unprofitable due to government attention and interruptions caused by ongoing geopolitics. However, a few weeks later, the administrator posted another notice that the group would be returning, and the group is still active as of March 2025.
Researchers report that Hunters International and Hive ransomware have multiple code overlaps and similarities, with at least a 60% match between two sets of code. Additionally, researchers have reported that affiliates and operators refer to Hunters International as хайв (Hive in Russian) and they have claimed that they were contacted by the Hunters International administrator using the same instant messaging account associated with Hive. However, Hunters International operators have claimed via their data leak site that they purchased the code and are not a rebrand.
For encryption, Hunters International embedded the encryption key within the encrypted files using ChaCha20-poly1305 and RSA OAEP combination. Hunters International does not always encrypt a victims’ environment; sometimes opting for exfiltration and extortion instead. It is not known what factors contributed to the decision to encrypt or not to encrypt.
Hunters International is written in Rust and targets both Windows and Linux environments for data encryption and exfiltration. The variant added a “.LOCKED” or “.lock” extension to the encrypted files on a victim machine, when encryption was used. Once the threat actors gain initial access, they attempt to kill processes and services. It then executes commands to delete backups and disable recovery mechanisms. It then reiterates through local and mapped drives, as well as shared drives found on the local network through the NetServerEnum and NetShareEnum APIs, encrypting files that are discovered.
In late 2024, Hunters International released a statement via their affiliate panel that no more ransom notes would be dropped, and the file extensions would no longer be changed. The group provided the reasoning that it is more likely to get a ransom payment if the people notified are the CEO and key staff members rather than dropping ransom notes everywhere – indicating the belief that the more people know, the less likely a ransom payment will be made.
In February 2024, security researchers identified that the domain “huntersinternational[.]org” was a legitimate active domain from 2017 to 2021 but then it was deactivated. The threat actors then reactivated the domain in January 2024 to launch the data leak site. The Hunters International group used a fake identity “Mihail Kolesnikov” to register the domain. This same name has been previously observed with Rilide Infostealer and Snatch ransomware phishing domains.
In March 2024. a Hunters International administrator revealed a service for affiliates for 10% of the ransom payment. The service offered is an in-depth OSINT analysis on the targeted company, including all “managers, responsible persons, and their close relatives.”
In 2024, security researchers with Quorum Cyber reported a Hunters International custom backdoor, SharpRhino. SharpRhino reportedly has a valid code certificate and was masquerading as the legitimate tool, AngryIP. SharpRhino is an NSIS (Nullsoft Scriptable Installer System) packed executable.
Unlike other ransomware variants, Hunters International does not store stolen data on their infrastructure. The group reportedly maintains a tool, Software Storage, that sends information about files to the Hunters International server. Once a victim pays the ransom, they are reportedly given access to the disclosures configured by the affiliate where they can download and delete the data via an integrated file manager.
While the group has remained active, the operators released a project titled “World Leaks” in January 2025 but took it down after identifying vulnerabilities in the infrastructure. Rather than operate in the double extortion method, the operation reportedly shifted to extortion-only attacks by using the Storage Software tool.
The data leak site for World Leaks is reportedly set to launch later this year; however, in the meantime, the Hunters International site has remained accessible.
