The notorious Hunters International ransomware group, recently in the headlines for attacking Tata Technologies, has now shifted tactics and is rebranding with a new strategy focused solely on data theft, according to a fresh report by cybersecurity firm Group-IB.
Emerging in late 2023, Hunters International operates as a ransomware-as-a-service (RaaS) group. It quickly gained attention by mimicking many of the same tools and behaviors once associated with Hive—a ransomware gang dismantled by law enforcement in early 2023. Now, signs strongly suggest that Hunters is actually Hive in disguise.
Investigators at Group-IB say that several members of the cybercrime ecosystem still refer to the group as Hive. Moreover, some of the individuals behind Hunters have been linked to the same online accounts previously used by Hive’s administrators. This connection reinforces the theory that this is not a new group, but a strategic rebrand aimed at staying ahead of law enforcement crackdowns.
300 Victims and a Shift in Strategy
Hunters International has already listed around 300 victim organizations on its Tor leak site. Nearly half of these victims are based in North America, with others located across Europe and Asia. The sectors hardest hit include real estate, healthcare, financial services, energy, and government agencies.
Instead of relying solely on file-encryption ransomware, the group’s latest attacks focus more on data theft. The affiliate panel offered to cybercriminal partners includes tools to customize attacks, interact with victims, and even set ransom amounts. A core feature is its “Storage Software”—a data exfiltration tool that collects metadata from stolen files and sends it back to the group’s servers.
This panel supports malware compatible with multiple systems—Windows, Linux, and even ARM architectures—ensuring broad reach across different corporate environments. Affiliates get to keep 80% of any ransom payments they secure.
Group-IB also discovered that the Storage Software tool could be used to delete or download files remotely—assuming the malware is operating on the same host system as the stolen data. This indicates that initial storage of exfiltrated data may remain with affiliates until a ransom is paid, at which point victims are offered the option to delete the stolen data.
No More Ransom Notes — Just Direct CEO Pressure
The latest version of Hunters’ ransomware software marks a clear departure from traditional ransomware tactics. No ransom note is left behind. The malware doesn’t even rename encrypted files. Instead, starting in August 2024, the group shifted to a more discreet, psychological pressure approach—contacting CEOs and key executives directly to negotiate payments and keep breaches out of the public eye.
To personalize these extortion efforts, the group now partners with an external provider that uses open-source intelligence (OSINT) to collect detailed information about company personnel. This allows them to tailor their communications and increase pressure on top-level decision-makers.
Group-IB analysts predict this tactic will likely spread across the ransomware ecosystem, as more groups look to maximize profits while minimizing detection risks.
Abandoning Encryption for Exfiltration-Only Attacks
In a major pivot, internal communications from the Hunters group reveal plans to completely ditch file encryption. The reason? It’s too risky and no longer worth the effort.
On January 1, 2025, the group launched a new project titled “World Leaks,” designed to focus solely on exfiltration-based attacks—no more double extortion. While the campaign was briefly paused to fix backend infrastructure issues, Group-IB believes this signals a broader shift in how ransomware operations will function moving forward.
The group is now building a new exfiltration tool designed to automate data theft. The tool reportedly operates undetected and uses proxy servers to connect to remote infrastructure, much like the Storage Software used previously.
This trend mirrors tactics observed by CISA in another case involving the BianLian group, which also transitioned to exfiltration-only strategies. Group-IB warns that this evolution will likely become the new normal in cyber extortion, especially as groups look to refine and automate their operations.
