Hunters International Moving to Straight Data Extortion Attacks

Researchers have suggested that Hunters International, suspected to be a rebrand of the Hive ransomware group, may be moving away to deploying encryptors in favor of data exfiltration for extortion attacks.

In November 2024, Hunters announced plans to cease ransomware operations, citing increased risks and decreased profitability due to global law enforcement actions and geopolitical pressures. They indicated a shift towards a new project, "World Leaks," focusing solely on data exfiltration without encryption.

In recent attacks, the group has stopped dropping ransom notes or encrypting and renaming files. Researchers concluded that the group may move away from encryption, having launched a short-lived project called World Leaks focused on exfiltration-only attacks using undetectable tools and proxy connections.

Takeaway: With the Hunters International group following in the footsteps of BianLian and DonutLeaks in abandoning the encryption payload, does this mean we are seeing a trend where ransom operators will simply focus on exfiltration for extortion? The short answer is no.

Let’s be real—while it’s tempting to think ransomware gangs are all about to ditch encryption for simple data exfiltration, that’s not where the majority of the ecosystem is headed.

Groups like Hunters International might be experimenting with “just steal and threaten,” and BianLian made that pivot after researchers dropped a free decryption tool for their payload—but don’t expect that to be the norm.

Why? Because encryption still gives attackers the upper hand. If your systems are locked up and your business can’t operate, the pressure to pay ramps up fast. It’s much harder for a victim to ignore a ransom demand when their entire infrastructure is down versus when their data is merely at risk of exposure.  

The pain is immediate, disruptive, and expensive.

Sure, skipping the encryption payload saves threat actors time and resources—they don’t have to build, update, or maintain that part of their stack. But the tradeoff is less leverage and, ultimately, smaller payouts. That’s not a winning formula for affiliates looking to get paid.

Most top-tier crews know this. They’re pushing the envelope with complex encryption routines, hitting macOS and Linux, using Rust to avoid detection, and deploying partial encryption to boost speed and stealth. Innovation in payloads is still the name of the game because pain drives payment.

So, while some operators might chase the “easy button” of data-only extortion, they’re unlikely to see the same financial returns—or attract serious affiliates—as those still focused on locking up systems and pushing victims to the brink.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.