In the world of cybersecurity, the disappearance of a major ransomware group often doesn't signify its end, but rather the beginning of a new disguise. This is the case with Hunters International, a group initially thought to be a new player on the digital crime scene, only to be revealed as the reincarnation of the notorious Hive ransomware operation.
The story begins with the takedown of Hive, one of the most prolific ransomware gangs. In an international law enforcement operation led by the FBI, authorities successfully infiltrated Hive's networks in July 2022. For seven months, the FBI covertly monitored their activities, providing over 300 decryption keys to victims and preventing an estimated $130 million in ransom payments. In January 2023, authorities announced the seizure of Hive's servers, effectively taking its infrastructure offline.
A few months later, in October 2023, Hunters International emerged. Initially, the group claimed it had purchased Hive's source code and assets, positioning itself as a separate entity. However, cybersecurity researchers quickly identified significant overlaps. Code analysis revealed that the Hunters International ransomware shared a significant portion of its code with Hive's. Furthermore, users on underground forums and affiliates of other ransomware groups referred to Hunters as "Hive" in Russian (хайв). Some cybercriminals reported being contacted by Hunters' administrators using the same instant messaging accounts previously associated with Hive.
Rebranding is a common tactic for ransomware groups. The principal reason is to evade law enforcement and sanctions. When a group becomes a target, rebranding allows it to continue operations under a new name, making it difficult to track. It also allows them to distance themselves from high-profile attacks that may have drawn unwanted attention.
Hunters International adopted the Ransomware-as-a-Service (RaaS) model, recruiting affiliates to conduct attacks. The group targets a wide array of industries, including healthcare, manufacturing, finance, and education. Their tactics involve exploiting known vulnerabilities, such as an Oracle WebLogic Server flaw (CVE-2020-14644), credential dumping, and lateral movement within networks. They employ a double extortion tactic, where they not only encrypt a victim's data but also exfiltrate it and threaten to publish it on their dark web leak site.
Recently, Hunters International made a surprising move. In early July 2025, the group announced it was closing its operations and would offer free decryptors to victims. However, experts remain skeptical. This move is widely seen as another strategic rebrand rather than an end to their activities. The group had already signaled its intention to shift away from ransomware to exfiltration-only attacks, launching a new project called "World Leaks".
The case of Hive and Hunters International underscores the resilience and adaptability of cybercriminal organizations. Even when law enforcement achieves significant victories like the Hive takedown, the operators behind these enterprises often regroup, rebrand, and continue their illicit activities. For businesses and organizations, this serves as a stark reminder that vigilance, robust patch management, and comprehensive incident response plans are essential to defend against these ever-evolving threats.