Hunters International
Emerged in October 2023 with code showing approximately 60% overlap with the FBI-dismantled Hive ransomware — operators deny a rebrand, claiming they purchased the source code. Within a year became one of the most active RaaS operations globally, claiming 280+ attacks across 30+ countries and ranking tenth among the most active ransomware groups in 2024. Notable for its cross-platform Rust-based encryptor, a custom RAT (SharpRhino) delivered via typosquatting, and a declared prohibition on targeting CIS countries consistent with Russian-speaking operator origin. Officially announced shutdown on July 4, 2025, releasing free decryptors, while simultaneously transitioning to World Leaks — an extortion-only operation focused entirely on data theft without encryption.
Overview
Hunters International is a Ransomware-as-a-Service operation that emerged in October 2023, almost immediately after the FBI's January 2023 infiltration and dismantling of the Hive ransomware infrastructure. Technical analysis by Bitdefender, AttackIQ, and others established approximately 60% code overlap between Hunters International's encryptor and Hive ransomware version 6.1 — the most recent Hive variant before the law enforcement operation. The operator publicly claimed to have purchased Hive's source code rather than being a direct rebrand, asserting they identified and fixed encryption bugs that had caused decryption failures in Hive operations. Regardless of the precise relationship, the technical heritage is substantial enough that researchers and affiliates used the Russian word for Hive — хайв — when referring to Hunters International internally.
Despite the inherited codebase, Hunters International is not a simple copy of Hive. The operators rewrote the encryptor in Rust — the same programming language adopted by sophisticated ransomware families like BlackCat/ALPHV — which provides superior cross-platform performance, resistance to reverse engineering, and native multi-threading that accelerates encryption. The Rust-based payload supports Windows, Linux, FreeBSD, SunOS, and VMware ESXi, across x64, x86, and ARM architectures, giving affiliates broader platform coverage than many competing RaaS operations. The operator streamlined Hive's command-line options and optimized encryption key management, embedding encryption keys within the encrypted files themselves — a design that simplifies the decryption process for victims who pay while complicating forensic analysis.
From launch, Hunters International expanded rapidly. The group claimed 134 attacks in the first seven months of 2024 alone, ranking as the tenth most active ransomware group globally. The operation maintained an explicit prohibition on targeting organizations in CIS countries — a restriction common among Russian-speaking criminal groups and noted by researchers as additional evidence of Russian-affiliated operator origin, though no formal attribution has been confirmed. Group-IB reported that some affiliates and operators referred to the group using the Russian word for Hive, and that the same instant messaging account previously associated with Hive administrators was used to contact researchers about Hunters International.
On November 17, 2024, Hunters International's operators released an internal "farewell letter" to affiliates announcing the project would close, citing declining ransomware profitability and increased government scrutiny. Weeks later, they reversed the announcement, resumed operations, and simultaneously launched a new extortion-only project called World Leaks on January 1, 2025. World Leaks abandoned ransomware encryption entirely, pivoting to pure data theft and extortion using a custom-built exfiltration tool derived from the Storage Software utility Hunters affiliates had previously used. The formal Hunters International shutdown was announced on July 4, 2025, with operators releasing free decryptors and deleting all victim data from the leak site. Analysts at Group-IB, KnowBe4, and Bitdefender assessed this as a rebranding rather than a genuine cessation of criminal activity, noting that World Leaks was already active and operational before the Hunters International shutdown announcement.
Target Profile
Hunters International operated as an opportunistic threat actor without declared sector-specific targeting preferences. The group's victim profile is broad, reflecting the RaaS model's dependence on affiliate discretion for target selection. The single consistent restriction was a prohibition on targeting CIS-region organizations.
- Business Services: The largest victim category (58 organizations per Ransomware.live data), spanning professional services firms, consultancies, and business process organizations — targets valued for the sensitivity of client data they hold.
- Manufacturing: The second largest category (42 organizations), including Tata Technologies, an Indian engineering company, and other industrial manufacturers. Manufacturing organizations are targeted for their operational dependence on IT systems and sensitivity to production disruption.
- Healthcare: 26 confirmed healthcare victims, including Integris Health (Oklahoma's largest nonprofit health network), Fred Hutch Cancer Center (800,000 patient records threatened), and multiple hospitals and clinics. Healthcare's reliance on patient data and operational continuity makes it a consistently high-value extortion target across ransomware groups.
- Technology: 34 technology-sector victims, including US Navy contractor Austal USA and Japanese optics manufacturer Hoya Corporation — targets valued for proprietary technical data and intellectual property.
- Financial Services: Targeted the London subsidiary of Industrial and Commercial Bank of China (ICBC) in September 2024 — a high-profile attack on a major state-owned financial institution.
- Government: The US Marshals Service was among disclosed victims, demonstrating willingness to target US federal law enforcement agencies. The City of St. Cloud, Florida, was also claimed as a victim.
- Geographic Concentration: The United States accounted for 150 of 307 claimed victims. Canada (15), France (12), and Germany (9) rounded out the top five target countries. The group maintained an explicit no-attack policy for CIS countries — though Group-IB's research documented that this rule was not strictly enforced, with some CIS organizations appearing in data leaks.
Tactics, Techniques & Procedures
Hunters International TTPs vary by affiliate given the RaaS structure. The core operator developed and maintained the ransomware payload and SharpRhino RAT. Initial access methods differ across intrusions but several patterns are consistently documented.
| mitre id | technique | description |
|---|---|---|
| T1566.002 | Spearphishing Link / Typosquatting | SharpRhino was distributed through a fake website typosquatting the legitimate Angry IP Scanner tool (ipscan.net). The malicious site delivered a digitally signed 32-bit installer (ipscan-3.9.1-setup.exe) containing a self-extracting password-protected 7-Zip archive. IT administrators and network engineers were the primary targets, given their typical use of IP scanning tools. Distribution via fake Advanced IP Scanner sites was also observed in January 2024. |
| T1190 | Exploit Public-Facing Application | Affiliates exploited documented vulnerabilities for initial access. A February 2025 eSentire-investigated incident documented initial access via CVE-2024-55591, an authentication bypass vulnerability in FortiOS and FortiProxy that allowed creation of a super-admin account. Additional credential dumping and persistence techniques were layered after the initial Fortinet exploitation. |
| T1219 | Remote Access Software | SharpRhino functions as a persistent Remote Access Trojan that establishes attacker connectivity to the compromised host post-installation. On execution it installs itself with elevated privileges, establishes persistence, and provides the operator with remote access used to progress the attack through lateral movement and ransomware staging phases. |
| T1078 | Valid Accounts | Affiliates leveraged RDP with compromised credentials for lateral movement across victim networks after establishing initial access. The February 2025 incident documented the creation of a new VPN user account following the Fortinet exploit, which was then used to access internal resources via RDP. |
| T1486 | Data Encrypted for Impact | The Rust-based encryptor targets files on local and mapped drives, as well as network shares discovered via NetServerEnum and NetShareEnum APIs. Files are encrypted with encryption keys embedded within the encrypted files themselves — a Hunters-specific implementation that simplifies victim decryption while complicating forensic key recovery. Encrypted files receive a .LOCKED or .lock extension. Ransom notes (Contact Us.txt) are dropped in target directories. |
| T1490 | Inhibit System Recovery | Prior to encryption, the ransomware kills processes and services on the victim system, then executes commands to delete backups and disable Windows recovery mechanisms, preventing file restoration through built-in OS tools. Volume Shadow Copy deletion is a standard pre-encryption step. |
| T1048 | Exfiltration / Storage Software | Hunters International maintains a custom tool called Storage Software for data exfiltration. Unlike many ransomware operations that store stolen data on their own infrastructure, Hunters International's model sends information about files to the group's server without hosting the data directly. Victims who pay ransom are granted access to an integrated file manager to download and delete their data. Rclone was also used for cloud-based exfiltration, observed in the eSentire-investigated 2025 incident. |
| T1562.001 | Impair Defenses | In late 2024, the group released an internal statement to affiliates announcing that ransom notes would no longer be dropped and file extensions would no longer be changed during encryption — a deliberate operational security shift. The stated reasoning was that limiting visible indicators of compromise and communicating directly with CEO-level staff rather than broadcasting ransom notes to all employees increased the probability of ransom payment. This decision reflects an understanding that wide visibility of a ransomware attack increases the likelihood of law enforcement engagement. |
| T1071 | Tor / Encrypted C2 | Hunters International uses Tor proxies and TLS network communication for C2 and victim communication channels. The group's negotiation and leak portals are Tor-hosted. SharpRhino establishes encrypted C2 communication for operator remote access. The group also provides affiliates with an OSINT service for victim profiling, enabling targeted extortion through email, phone, and social media channels to increase payment pressure. |
Known Campaigns
Notable confirmed or highly attributed intrusions and campaign clusters across Hunters International's operational period.
Hunters International's first victims were posted to its leak site beginning October 20, 2023 — within days of the operation's launch. Among the earliest confirmed victims was a US plastic surgeon's clinic with a Beverly Hills office. The group's rapid early activity, combined with the Hive code overlap identified by Bitdefender and others within weeks of launch, generated immediate attention from the research community. A UK primary school was also among early disclosed victims, illustrating the group's willingness to target organizations across sectors without ethical filters on target selection.
Hunters International breached Fred Hutchinson Cancer Center in Seattle, Washington, threatening to leak the stolen data of over 800,000 cancer patients unless a ransom was paid. The attack generated significant public attention and criticism, as the targeting of a cancer research institution threatened patients who had already shared highly sensitive medical information under vulnerable circumstances. The attack demonstrated the group's willingness to target healthcare organizations providing critical patient care regardless of the human impact of the extortion threat.
Hunters International attacked Japanese optics giant Hoya Corporation — a manufacturer of optical lenses, semiconductor components, and medical devices. The breach affected production systems and IT infrastructure. The group demanded a $10 million ransom and threatened to release 1.7 million proprietary files. Hoya confirmed the cyberattack and its operational impact in public statements. The attack demonstrated the group's capability to hit large multinational industrial targets and its willingness to demand high ransoms from major corporations.
Quorum Cyber's incident response team identified a new custom RAT named SharpRhino during a Hunters International investigation in 2024 — the first documented use of the tool. SharpRhino was delivered via a typosquatting domain impersonating Angry IP Scanner, specifically targeting IT administrators and network engineers who use IP scanning tools in their work. The signed installer deployed a C# RAT with novel privilege escalation techniques, establishing persistent remote access that was then used for lateral movement and eventual ransomware deployment. The campaign was notable for its deliberate selection of IT workers as entry points, recognizing that compromising administrators provides broader network access than compromising standard employees.
In September 2024, Hunters International claimed attacks on two significant targets simultaneously: the London subsidiary of Industrial and Commercial Bank of China (ICBC), a Chinese state-owned bank and one of the world's largest financial institutions, and AutoCanada, a major North American automobile dealership group. The ICBC London attack demonstrated willingness to target major financial institutions of state-owned enterprises. In November 2024 alone the group claimed 24 victim organizations — nearly one per day — its most active period on record.
Tata Technologies, a subsidiary of Tata Group and a major engineering and technology services company, was claimed as a Hunters International victim in March 2025 — one of the final significant attacks before the group's May 2025 last-known victim posting. The attack on an Indian multinational was notable given the group's stated prohibition on CIS targeting — confirming that geographic restrictions were not consistently enforced and that financially attractive targets outside the CIS were pursued regardless of stated policy.
On November 17, 2024, Hunters International sent a farewell letter to affiliates citing declining profitability and government pressure. Weeks later, the shutdown was reversed. On January 1, 2025, operators launched World Leaks — an extortion-only operation using a custom exfiltration tool derived from Hunters International's Storage Software utility, with no encryption component. World Leaks was active as of May 2025 and claimed 31+ victims including organizations in the US and Europe. Hunters International posted its last known victims on May 27, 2025, and formally announced shutdown on July 4, 2025, releasing free decryptors and deleting all victim data from the leak site — a rare gesture in the ransomware ecosystem, with the only comparable precedent being Avaddon in 2021.
Tools & Malware
Core tooling developed and maintained by the Hunters International operators, deployed across affiliate intrusions.
- Hunters International Ransomware (Rust-based encryptor): A multi-platform encryptor written in Rust, supporting Windows, Linux, FreeBSD, SunOS, and VMware ESXi on x64, x86, and ARM architectures. Derived from Hive ransomware version 6.1 with approximately 60% code overlap. Key improvements over Hive include simplified command-line options, optimized key management, and embedding of encryption keys within the encrypted files. Appends .LOCKED or .lock extensions to encrypted files. Multi-threaded encryption using Rust's native concurrency. In late 2024, operators instructed affiliates to stop dropping ransom notes and changing file extensions to reduce victim awareness of the attack during the early extortion window.
- SharpRhino: A C# Remote Access Trojan (RAT) developed by Hunters International, first identified by Quorum Cyber in 2024. Named SharpRhino due to its C# language basis and identified links to the ThunderShell (Parcel RAT / SMOKEDHAM) malware family. Delivered via typosquatting domains impersonating Angry IP Scanner. The signed installer (ipscan-3.9.1-setup.exe) is an NSIS-packed executable containing a self-extracting 7-Zip archive. On execution, SharpRhino establishes persistence, performs privilege escalation using novel techniques, and provides the operator with persistent remote access for staging subsequent attack phases.
- Storage Software (custom exfiltration tool): A bespoke data exfiltration utility unique to the Hunters International ecosystem. Unlike competing groups that store stolen data on operator-controlled servers, Storage Software sends file metadata and content references to Hunters International's infrastructure without the data itself being hosted by the operator. Victims who pay ransom access an integrated file manager portal to download and delete their data. An enhanced version of this tool became the foundation for the World Leaks operation's encryption-free extortion model.
- Rclone: An open-source cloud sync utility used by some affiliates for bulk data exfiltration to attacker-controlled cloud storage infrastructure prior to ransomware deployment. Observed in the eSentire-investigated February 2025 incident alongside WinSCP as alternative exfiltration vectors.
- Cobalt Strike / Sliver: Post-exploitation C2 frameworks used by affiliates for lateral movement and hands-on-keyboard operations during the reconnaissance and staging phases between initial access and ransomware deployment.
Indicators of Compromise
Technical indicators from public research disclosures. Given the group's shutdown and transition to World Leaks, Hunters International-specific infrastructure IOCs are likely burned or decommissioned. Behavioral and tool-based indicators remain relevant for hunting historical compromises.
Hunters International announced shutdown and released free decryptors on July 4, 2025. Infrastructure IOCs are likely decommissioned. The successor operation World Leaks uses separate infrastructure. Organizations that experienced a Hunters International compromise should verify that Storage Software and SharpRhino persistence mechanisms have been fully remediated — both tools were designed to survive standard ransomware incident response and may have maintained access beyond the initial encryption event.
Mitigation & Defense
Recommended defensive controls informed by Hunters International's documented TTPs and affiliate attack patterns. World Leaks, the successor operation, should be considered an active threat for organizations in the same target profile.
- Block Typosquatting Tool Domains: SharpRhino was distributed through a fake Angry IP Scanner site. Implement DNS filtering and browser-based URL verification for any IT tooling downloads. Require that IT tools are downloaded only from official vendor domains and software repositories, verified against known-good hashes. Employees specifically in IT and network administration roles should be trained to verify tool authenticity before installation — the SharpRhino campaign specifically targeted administrators, not general users.
- Patch Fortinet and Edge Devices on Critical Timelines: CVE-2024-55591 was exploited for initial access in at least one 2025 Hunters International attack. Edge devices — VPNs, firewalls, load balancers — are high-value initial access targets for RaaS affiliates. Patch these devices within 24 hours of critical vulnerability disclosure and restrict administrative interface exposure to internal networks only.
- Monitor for SharpRhino Installation Patterns: SharpRhino arrives as a signed NSIS installer appearing as IP scanning software. Monitor for unexpected installer executions that match IT tool names (ipscan-*.exe) but are not sourced from official repositories. NSIS installers deploying self-extracting password-protected archives are an indicator pattern worth alerting on in controlled environments. Quorum Cyber published a MITRE ATT&CK mapping and IOCs for SharpRhino in their research.
- Segment and Monitor Storage Software Behavior: The Storage Software exfiltration tool communicates file information to Hunters International infrastructure. Implement data loss prevention (DLP) controls and monitor for large-scale file enumeration activity across internal networks — particularly processes that systematically access network shares through NetServerEnum and NetShareEnum API calls, which are consistent with both Storage Software activity and pre-encryption reconnaissance.
- Protect ESXi Hypervisor Management Interfaces: The Hunters International encryptor's ESXi-targeting capability makes hypervisor management planes critical protection points. Restrict ESXi management interface access to dedicated management networks, require MFA for all ESXi administrative sessions, and monitor for unexpected esxcli process execution — particularly the force-kill command pattern used by ESXi ransomware variants.
- Immutable Backup and Recovery Testing: The ransomware deletes Volume Shadow Copies and disables Windows recovery before encrypting. Maintain tested, offline backups that ransomware running on compromised endpoints cannot reach or modify. Regularly test restoration procedures — documented ransom demands from Hunters International ranged from hundreds of thousands to $10 million, making backup-based recovery the only reliable alternative to payment.
- Monitor World Leaks Activity: World Leaks, the successor operation, began activity in May 2025 and claimed 31+ victims through mid-2025. As a pure extortion operation with no encryption, World Leaks will not generate the file-modification signatures that endpoint detection tools use to identify ransomware. Organizations should ensure DLP and network monitoring controls are capable of detecting large-scale data exfiltration independent of endpoint encryption indicators, as extortion-only operations produce no ransomware payload artifacts for traditional detection.
Hunters International's trajectory — from Hive code to global top-10 RaaS in under a year, followed by a voluntary shutdown and quiet pivot to encryption-free extortion — illustrates the adaptive economics of the modern ransomware ecosystem. The July 4, 2025 shutdown with free decryptors was framed as a goodwill gesture, but analysts widely assessed it as a coordinated rebranding to World Leaks, not a genuine cessation of criminal activity. The last time a ransomware group offered voluntary decryptors at shutdown was Avaddon in 2021 — which subsequently rebranded as NoEscape. Group-IB noted internal disputes within the Hunters International operation over the use of encryption, with some members breaking away to form World Leaks while others remained tied to the Hunters operation. Whether World Leaks ultimately represents the same core operators or a faction split remains unresolved. The 3.25 million personal records estimated to have been compromised across Hunters International's operational period — with the healthcare sector accounting for 2.9 million of those — represents a substantial real-world harm beyond the ransom payments themselves.
Sources & Further Reading
Attribution and references used to build this profile.
- Group-IB — The Beginning of the End: The Story of Hunters International (2025)
- Bleeping Computer — Hunters International Ransomware Shuts Down, Releases Free Decryptors (Jul 2025)
- Bleeping Computer — Hunters International Rebrands as World Leaks (Apr 2025)
- Bleeping Computer — Hunters International Targets IT Workers With SharpRhino Malware (Aug 2024)
- Quorum Cyber — SharpRhino: New Hunters International RAT Identified (2024)
- eSentire — From Access to Encryption: Dissecting Hunters International's Latest Attack (Mar 2025)
- AttackIQ — Emulating the Splintered Hunters International Ransomware (Jan 2025)
- Blackpoint Cyber — Hunters International Ransomware Threat Profile (2025)
- Infosecurity Magazine — Hunters International Is Not Shutting Down, It's Rebranding (Jul 2025)
- SOCRadar — Dark Web Profile: Hunters International (2024, updated 2025)