Ransomware gangs are notorious for first stealing data from servers before encrypting it, holding it hostage until a ransom is paid. The act of siphoning off data intensifies the pressure on victims, as they are faced with the dual threat of encryption and the possibility that their stolen data will be sold to interested parties.
However, recent trends show a shift in these gangs’ tactics. As ransom demands have attracted increased attention from law enforcement and government surveillance has intensified, the profitability of launching such attacks has decreased. As a result, many cybercriminal groups are now exploring alternative methods.
Hunters International, a cybercrime group responsible for spreading file-encrypting malware since 2023, announced in November 2024 that they would retire from their ransomware activities. Yet, they have since revealed a new approach: launching attacks to exfiltrate data and extort victims without needing to encrypt their entire databases.
According to a study by Group-IB, Hunters International has launched a dedicated dark web website called “World Leaks.” This site will host data from leaked breaches and serve as a platform to extort victims, warning them to pay a specified ransom or risk having their data fall into the wrong hands.
Launched on January 1, 2025, World Leaks is currently active on the dark web. So far, Hunters International has targeted over 280 organizations, including major names like Tata Technologies, AutoCanada, the US Marshals Service, Japanese optical brand Hoya, Austal USA, and Integris Health.
With their shift to data extortion, Hunters International’s focus appears to be moving toward industries with heavy data reliance, such as healthcare, finance, and manufacturing.
