Full Report
The Hunters International Ransomware-as-a-Service (RaaS) operation is shutting down and rebranding with plans to switch to date theft and extortion-only attacks. [...]
Analysis Summary
# Threat Actor: Hunters International (Rebranded as World Leaks)
## Attribution & Identity
* **Identification:** Threat actor group known as Hunters International.
* **Potential Association:** Flagged as a *possible rebrand of Hive* due to code similarities.
* **Recent Change:** Shifting focus from traditional ransomware encryption to pure data extortion.
* **New Alias:** Rebranded as "World Leaks."
## Activity Summary
Hunters International surfaced in late 2023. They quickly became one of the most active ransomware operations, claiming over 280 attacks globally. Their activities have recently transitioned to exclusively data extortion models, abandoning the encryption component. Victims have ranged from small to very large organizations. Noteworthy claims include attacks against Tata Technologies, AutoCanada, U.S. Marshals Service, Hoya, Austal USA, and Integris Health. They also targeted the Fred Hutch Cancer Center, threatening to leak data of over 800,000 cancer patients.
## Tactics, Techniques & Procedures
* The article mentions high-level data regarding their activity profile: "Top 10 MITRE ATT&CK© Techniques Behind 93% of Attacks," but does not specify these techniques or their corresponding IDs.
* **Primary Modus Operandi:** Ransomware deployment (historically) and primarily Data Extortion (currently).
## Targeting
* **Sectors:** Broad targeting, including healthcare (Integris Health, Fred Hutch Cancer Center), automotive/dealerships (AutoCanada), defense contracting (Austal USA), general technology/manufacturing (Tata Technologies), and government services (U.S. Marshals Service).
* **Geography:** Worldwide ("organizations worldwide").
* **Victims:** Tata Technologies, AutoCanada, U.S. Marshals Service, Hoya, Austal USA, Integris Health, Fred Hutch Cancer Center.
## Tools & Infrastructure
* **Malware Families used:** Their proprietary ransomware, which supports a wide range of platforms and architectures.
* Supports: Windows, Linux, FreeBSD, SunOS, and ESXi (VMware servers).
* Architectures: x64, x86, and ARM.
* **Infrastructure:** No specific C2s, domains, or IPs were detailed in the provided text snippet.
## Implications
Hunters International represents a significant and evolving threat actor. Their shift from dual extortion (encryption + data theft) to pure data extortion suggests an adaptation based on the decreasing profitability or increasing resistance to full encryption attacks. Their ability to target diverse operating systems (including specialized ones like ESXi and Solaris/SunOS variants) indicates a mature and technically capable operation. Ransom demands have been substantial, ranging from hundreds of thousands to millions of dollars.
## Mitigations
* Focus on robust data access controls and data minimization strategies given the pivot to pure extortion.
* Ensure coverage and patching for critical systems, especially ESXi servers, given their known history of targeting these endpoints.
* Maintain strong incident response and data breach notification plans to handle the public exposure associated with pure extortion models.