Ransomware group Hunters International shuts down operation, hands out free decryptors

On Thursday, Hunters International announced that it has officially shut up shop. In addition, the ransomware gang is offering free decryption keys for all victims.

“We, at Hunters International, wish to inform you of a significant decision regarding our operation. After careful consideration and in light of recent developments, we have decided to close the Hunters International project. This decision was not made lightly, and we recognize the impact it has on the organizations we have interacted with,” the Ransomware-as-a-Service (RaaS) operation writes in a message that was published on the dark web.

The statement doesn’t share any details about the reasons for shutting down, or to what ‘recent developments’ refers to.

Before going offline permanently, Hunters International promises to help organizations that have fallen victim to the ransomware operation.

“As a gesture of goodwill and to assist those affected by our previous activities, we are offering decryption software to all companies that have been impacted by our ransomware. Our goal is to ensure that you can recover your encrypted data without the burden of paying ransoms,” the ransomware operation says.

“We appreciate your understanding and cooperation during this transition. Our commitment to supporting affected organizations remains our priority as we conclude our operations,” the online message concludes.

Hunters International emerged in late 2023 from the ashes of Hive, one of the world’s most dangerous ransomware groups at the time, responsible for over 1,500 victims globally and earning approximately €100 million in ransom demands.

Over the last two years, Hunters International has claimed to be responsible for almost 300 ransomware attacks worldwide, targeting companies of all sizes, with ransom demands ranging from hundreds of thousands to millions of dollars.

In April 2025, the group’s leadership said ransomware had become “unpromising, low-converting, and extremely risky,” adding that it was considering rebranding to focus on data exfiltration and extortion-only attacks rather than data encryption. This operation was known as World Leaks.