A significant shift in cybercriminal tactics has been revealed as the notorious hacking group Hunters International announces its transition away from traditional ransomware operations. According to a recent Group-IB intelligence report, the organization is pivoting towards pure data theft and extortion methods, marking a notable evolution in the cyber threat landscape.
Strategic Transformation: The Emergence of World Leaks
In a strategic move announced in November 2023, Hunters International disclosed plans to rebrand as World Leaks, officially launching on January 1, 2024. This transformation represents more than a simple name change — it signals a complete abandonment of encryption-based ransomware in favor of sophisticated data exfiltration techniques. The group’s new operational model focuses exclusively on stealing sensitive information and leveraging it for extortion purposes.
Law Enforcement Pressure Drives Tactical Evolution
The shift appears largely motivated by intensifying law enforcement scrutiny of ransomware operations. Recent legal frameworks increasingly classify ransomware attacks as acts of terrorism, attracting heightened attention from international security agencies. This classification is exemplified by the 2024 Moscow criminal case against UAPS payment system and Cryptex cryptocurrency exchange operators, demonstrating the growing risks for traditional ransomware operators.
Advanced Technical Infrastructure and Operational Security
World Leaks has developed sophisticated data exfiltration tools featuring advanced proxy-based concealment systems and a centralized command-and-control infrastructure for affiliate operations. This technical evolution demonstrates the group’s commitment to maintaining operational effectiveness while reducing legal exposure through modified attack methodologies.
Industry-Wide Trend in Cybercriminal Operations
The abandonment of encryption-based ransomware represents an emerging trend within cybercriminal ecosystems. Notable groups including Karakurt (2022) and BianLian (2023) have previously adopted similar strategies, while new entities like Mad Liberator are launching operations focused exclusively on data theft and extortion. This strategic realignment suggests a broader transformation in cybercriminal business models.
Despite this tactical shift away from traditional ransomware, the financial impact of cyber extortion continues to grow. Sophos research indicates a 260–500% increase in extortion payments during 2024 compared to previous periods. This dramatic surge in profitability demonstrates that cybercriminal organizations are successfully adapting their methodologies to evade increased scrutiny while maintaining operational effectiveness.
Who Is Affected?
Hunters International / World Leaks has historically targeted organizations across healthcare, manufacturing, legal services, and financial institutions — sectors that hold large volumes of sensitive data. The shift to pure extortion without encryption makes the group’s attacks harder to detect and potentially more damaging, since traditional ransomware detection based on file encryption behavior no longer applies. Mid-size enterprises with large unstructured data stores and insufficient Data Loss Prevention (DLP) controls are at elevated risk.
What Organizations Should Do
- Deploy Data Loss Prevention (DLP) solutions to monitor and block unauthorized exfiltration of sensitive files, particularly over cloud storage and email channels
- Implement network traffic monitoring to detect anomalous large-volume outbound data transfers that may indicate active exfiltration
- Audit and restrict access to sensitive data repositories — apply the principle of least privilege across all user accounts and service credentials
- Enable multi-factor authentication on all remote access points, VPNs, and cloud management consoles to reduce the initial access risk
- Establish an incident response plan that specifically accounts for data theft without encryption — traditional ransomware playbooks may miss data-theft-only scenarios
The evolution of these threats requires organizations to reassess their security postures, particularly focusing on data protection and exfiltration prevention strategies. For additional guidance on defending against extortion-focused threat actors, consult CISA cybersecurity advisories.
