Hunters International, a ransomware operation known for high-impact attacks on corporate targets, has just announced its closure.
Simultaneously, the threat actors are offering free decryption tools to all previously affected companies.
The threat group published a message on its now-wiped extortion portal, stating the decision was made “after careful consideration” and framing the release of decryptors as a gesture of goodwill.
The announcement, which is the only content now visible on Hunters International’s dark web leak site, also confirms that all victim data and company entries have been permanently deleted. The group claims its priority in this final phase is to support organizations in recovering encrypted files “swiftly and efficiently,” without ransom payments.
Hunters International first emerged in late 2023 and quickly built a reputation for targeting large enterprises across North America and Europe. Unlike many ransomware groups that operate through affiliate-based models, Hunters International was believed to be a relatively centralized operation, with a consistent leak site and a distinct branding approach. Over the past year, it has been linked to attacks on healthcare providers, manufacturing firms, and most notably, AutoCanada, one of the largest automotive retail groups in North America.
At the time, Hunters International operated like many modern extortion outfits: encrypting systems, exfiltrating data, and threatening public release unless ransoms were paid. However, unlike some groups that opt for maximal chaos, Hunters maintained a relatively business-like posture in its communications, favoring lengthy statements and emphasizing data recovery assistance post-payment.
The motivations behind the group’s sudden wind-down remain unclear. No law enforcement takedown, internal dispute, or external pressure has yet been publicly confirmed. It’s possible the group opted for voluntary closure to avoid escalating scrutiny or internal burnout. The possibility of the portal having been hijacked or the threat actors setting a trap for past victims to download laced executables pretending to be decryptors cannot be ruled out either at this time.
For affected organizations, this announcement offers a rare opportunity for recovery without additional costs or negotiations, but it is important to remember that its authenticity will have to be first verified by independent researchers. Typically, specialist companies use released decryptors to develop safe tools for victims to use, so entities impacted by Hunters International should remain patient for now and not rush into any actions.
Leave a Reply