What to do if you're hit by ransomware?

Do NOT attempt any self-remediation, as it can trigger further encryption and destroy recovery points. Instead, follow these steps:

1
Do NOT fix it yourself
2
Disconnect affected systems
3
Call us +1 332 331 8700

Contact us now for urgent ransomware response assistance, 24/7

Get Help Now
Frame

Experts. Finalists. Winners.

Accomplishments and recognitions, demonstrating our commitment to excellence and innovation.

Momentum Leader in MDR

Best Support in MDR & IR

Managed Detection and Response (MDR)

Top Cybersecurity Company 
2025

Best Managed Detection and Response Service

#4 of 184 teams Splunk Boss of the SOC

Best Of Cybersecurity Awards for Q1 2025

AWS Partner

Splunk Manage Premier Partner

Image (11) (1)

Why you shouldn’t attempt 
to fix it alone

Like a crime scene, a ransomware attack must be preserved — tampering with encrypted files, attempting self-recovery, or engaging with attackers can destroy critical evidence and reduce your chances of recovery.

Taking the right steps in the first moments after a Hunters International attack can make a huge difference and help you make a full recovery. Request 24/7 Hunters International ransomware recovery services to decrypt your data and maximize your chances of restoring operations.

Contact us now for urgent ransomware recovery assistance

Under attack?

Get Help Now

Hunters International ransomware statistics & facts

Hunters International decryptor
Hunters International IOCs
Hunters International vectors
Case outcomes
How to remove Hunters International ransomware?
How to recover from Hunters International ransomware?
Ransom amounts
Hunters International decryptor

Unfortunately, there is no publicly available decryptor for Hunters International ransomware. In January 2025, the group announced a shutdown and promised to release free decryption keys to past victims, but this claim remains unverified. The good news — UnderDefense’s incident response team is on standby to contain the attack, eliminate the malware, prevent reinfection, and restore your systems using verified, uncompromised backups so you can safely resume operations.

Hunters International IOCs

File extensions
The most common extension is .LOCKED or .lock appended to encrypted files. In late 2024, the group announced they would stop changing file extensions as part of their shift toward extortion-only attacks.

Ransom note filenames
The primary ransom note filename is:

read me now!.txt

*Note: In late 2024, Hunters International announced they would no longer drop ransom notes, instead contacting CEOs and key staff directly to increase payment likelihood.

Hunters International hashes
These are SHA256 hashes associated with known Hunters International payloads:

(Note: Specific hashes were not disclosed in available public reports. Organizations should monitor for Rust-based ransomware binaries named encrypter_windows_x64.exe or similar variants.)

Hunters International tools
For EDR disabling:

Process Hacker
PC Hunter

For credential dumping:

AdFind
NirSoft PassView
SAM and SYSTEM registry hive dumps
SECRETSDUMP DCSYNC
Zerologon (CVE-2020-1472)

For reconnaissance:

Advanced IP Scanner
Advanced Port Scanner
NetServerEnum / NetShareEnum APIs
whoami, ipconfig /all, nltest /domain_trusts

For data exfiltration:

MEGA cloud storage
Rclone
WinSCP
Storage Software (custom tool that catalogs files without uploading them)

For lateral movement:

AnyDesk
TeamViewer
Plink
Impacket
RDP
SMB/Windows Admin Shares

Malware:

SharpRhino (custom RAT, also known as Parcel RAT, ThunderShell, SMOKEDHAM)
China Chopper web shell
AutoIt malware (renamed variants)

Most common red flag
Hunters International almost always runs these commands:

vssadmin.exe delete shadows /all /quiet
wmic.exe shadowcopy delete
bcdedit.exe /set {default} recoveryenabled No
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

*If you detect this, data encryption or exfiltration is moments away.

Hunters International vectors

Attack vector

% of Hunters International incidents

Notes

Exploited vulnerabilities

40–45%

Oracle WebLogic (CVE-2020-14644, CVE-2017-10271, CVE-2019-2725, CVE-2019-2729), Fortinet FortiOS (CVE-2024-55591)

Valid accounts / Credential abuse

25–30%

Compromised admin accounts, RDP brute-force

Phishing + malware

15–20%

AutoIt malware, SharpRhino RAT via typosquatting domains

External remote services

10–15%

Unauthorized RMM tools (AnyDesk, TeamViewer)

Web shells

5–10%

China Chopper deployment on compromised servers

Powered By WP Table Builder
Case outcomes

Hunters International is unpredictable and increasingly dangerous.

The group operated under a double-extortion model until late 2024, when they announced a strategic shift to extortion-only attacks — stealing data without encryption. In January 2025, they claimed to shut down and rebrand as “World Leaks,” focusing purely on data theft and extortion.

Most known Hunters International affiliates historically provided decryptors after payment, but decryptors were often slow, unstable, or incomplete. The group is known to publish stolen data within days if negotiations stall. Since their shift away from encryption, victims face pure extortion threats with no technical recovery path except restoring from backups.

Hunters International does not store stolen data on their infrastructure. Instead, they use a custom tool called Storage Software that catalogs file metadata and presents it to victims through their leak site, making data recovery negotiations more complex.

How to remove Hunters International ransomware?

Note: Attempting to remove Hunters International ransomware and self-remedy may lead to greater data loss.

To remove Hunters International ransomware, immediately engage Hunters International ransomware removal experts to guide your response and ensure no critical steps are missed. Then, begin by isolating all affected systems: disconnect compromised machines from the network (disable Wi-Fi, unplug Ethernet cables, and block their IPs at the firewall).

Next, perform a comprehensive forensic analysis to uncover the depth of the breach. Use endpoint detection and response (EDR) tools to trace the attacker’s path. Collect and review file-hash indicators of compromise (IOCs), registry changes, deleted Volume Shadow Copies, and any tampering with event logs. Look for evidence of SharpRhino RAT, China Chopper web shells, or unauthorized RMM tools like AnyDesk and TeamViewer. After mapping the intrusion, reimage all infected devices using clean, verified system images.

Finally, rely on Hunters International ransomware removal and recovery experts to validate the cleanup, conducting rootkit scans, reviewing system configurations, rotating compromised credentials, and reinforcing your security posture. Their specialized knowledge ensures thorough removal and helps prevent future incidents through strategic hardening and lessons learned.

How to recover from Hunters International ransomware?

To recover from Hunters International ransomware, follow these essential steps:

– Immediately isolate affected machines to stop any further malicious activity, then only reintroduce them into production once you’ve verified clean restorations and confirmed there’s no lingering malware or backdoors like SharpRhino RAT.
– Recover your data exclusively from offline, write-protected backups, and validate their integrity by checking checksums and performing test restores in a controlled environment.
– Perform a thorough post-incident review to map the attack chain and identify root causes, then patch all exploited vulnerabilities (especially Oracle WebLogic and Fortinet FortiOS CVEs) and rotate all credentials (especially admin/service accounts) to eliminate any leftover access points.
– Bring in external IR specialists to audit your environment, ensure complete ransomware eradication, remove any web shells or RATs, and help update your incident-response and business-continuity plans.

Ransom amounts

Hunters International ransom demands typically range from $500,000 to over $3 million, depending on the size of the victim organization and the amount of data stolen. Ransoms are almost always demanded in Bitcoin or Monero.

Because Hunters International conducts double-extortion attacks (and now pure extortion attacks), victims face two simultaneous financial threats:

– The ransom itself
– The cost of leaked, stolen, or destroyed data

Organizations should never attempt ransom negotiation alone — Hunters International is known to escalate threats quickly, publish data when provoked, or disappear after receiving payment if communication is mishandled. In late 2024, the group began offering affiliates a 10% fee for in-depth OSINT analysis on targeted companies, including managers, responsible persons, and their close relatives, to increase pressure on victims.

Average ransom:

– Small business: $200,000 – $500,000
– Medium business: $750,000 – $1,500,000
– Large enterprise: $2,000,000+

Our customers say it best

Contact us now for urgent ransomware recovery assistance

Under attack?

Get Help Now

Frequently asked questions

What is Hunters International ransomware?

Hunters International is a highly aggressive Ransomware-as-a-Service (RaaS) operation that emerged in October 2023 following the FBI’s disruption of the Hive ransomware group. Security researchers discovered that Hunters International’s code contains approximately 60% overlap with Hive ransomware version 61, suggesting the group acquired or inherited Hive’s source code. The group operates globally, targeting organizations across multiple industries with a double-extortion strategy: stealing sensitive data, encrypting systems using Rust-based ransomware, and threatening to publish stolen information on their dark-web leak site unless ransom demands are met. As of early 2025, Hunters International had claimed over 285 victims worldwide before announcing their shutdown in July 2025.

Where is the Hunters International ransomware gang located?

Hunters International operates as a decentralized RaaS collective using dark-web infrastructure, Tor-based communication portals, and anonymized servers to obscure their physical location. While there is no officially confirmed headquarters, the group notably avoids targeting Russian organizations—a pattern consistent with Russian-speaking cybercriminal operations seeking to avoid scrutiny from Russian law enforcement. The group’s victims span approximately 30 countries globally, with the United States experiencing the highest number of attacks, followed by victims in Canada, the United Kingdom, Germany, France, Australia, Brazil, Japan, and New Zealand.

How does Hunters International ransomware work?

Hunters International typically infiltrates networks through phishing campaigns and social engineering tactics designed to trick employees into downloading malicious files. They also exploit vulnerabilities in Oracle WebLogic servers (particularly CVE-2020-14644) and leverage compromised Remote Desktop Protocol (RDP) access. Once inside, attackers deploy tools like China Chopper web shells, conduct reconnaissance using built-in Windows utilities (ipconfig, nltest, dsquery), and escalate privileges by manipulating Active Directory. They exfiltrate data to MEGA cloud storage using tools like Rclone or WinSCP, then deploy Rust-based ransomware that encrypts files with AES encryption secured by RSA keys, appending the .LOCKED extension. Before encryption, they disable security defenses, delete Volume Shadow Copies using vssadmin and wmic commands, and disable Data Execution Prevention to maximize damage.

How long do Hunters International ransomware attacks last?

The visible encryption phase of a Hunters International attack can be devastatingly fast—small networks may be locked down in under 10 minutes, mid-size environments in 1–2 hours, and large enterprises within 8 hours. However, the actual attack timeline is much longer. Attackers typically spend 4–21+ days inside the network undetected during the reconnaissance and data exfiltration phases. During this dwell time, they quietly steal credentials, map the network infrastructure, exfiltrate sensitive data to external cloud storage, disable backup systems and security tools, and position themselves for rapid, simultaneous encryption across all critical systems.

Where can I find a Hunters International victims list?

There is no official public list of Hunters International victims, but confirmed cases were historically published on the group’s own dark-web leak site before they announced their shutdown in July 2025. Security researchers, cyber threat intelligence (CTI) platforms, and ransomware tracking sites like Ransomware.live documented over 285 confirmed victims. Notable victims included Tata Technologies, the London branch of the Industrial and Commercial Bank of China (ICBC), Anderson Oil & Gas, and Barber Specialties. Security teams typically monitor dark-web leak portals, threat intelligence feeds, DFIR reports, and cybersecurity news outlets to stay updated on newly disclosed victims.

Can Hunters International ransomware be deleted?

You can remove the Hunters International malware binaries from infected systems, but that does nothing to decrypt your files or guarantee the attack is fully contained. The group’s Rust-based ransomware uses AES encryption secured with RSA keys, and there is no public decryptor available (though the group claimed to offer free decryption keys when they announced their shutdown in July 2025). Because attackers often establish persistence through web shells, backdoors, and compromised credentials, proper recovery requires professional incident response, complete environment remediation, credential resets across all systems, and restoration from clean, uncompromised backups that were created before the initial breach.

What happens when you get Hunters International ransomware?

Hunters International attackers infiltrate your network days or weeks before encryption, operating silently during reconnaissance and data exfiltration phases. They steal credentials, map your Active Directory environment, disable EDR tools and backup systems, and exfiltrate sensitive data to external cloud storage like MEGA. When the ransomware detonates, files across Windows and potentially Linux systems are rapidly encrypted with the .LOCKED extension, Volume Shadow Copies are wiped using vssadmin and wmic commands, and ransom notes titled “read me now!.txt” appear throughout your directories. Shortly after encryption, stolen data is threatened or published on the gang’s dark-web leak site to pressure victims into paying. The double-extortion model means even if you restore from backups, your sensitive data remains compromised and at risk of public exposure.

How can ransomware be prevented?

Ransomware is best prevented through layered defense-in-depth security: promptly patching critical vulnerabilities (especially in internet-facing systems like Oracle WebLogic and RDP), enforcing phishing-resistant multi-factor authentication (MFA) on all accounts, deploying EDR with behavioral detection capabilities and 24/7 SOC monitoring, implementing network segmentation to restrict lateral movement, hardening identity systems and limiting administrative privileges, securing email gateways with advanced threat protection, and protecting backups with immutability, air-gapping, and MFA-controlled access so attackers cannot tamper with recovery options. Regular security awareness training, phishing simulations, threat hunting exercises, and tabletop incident response drills further strengthen your defensive posture.

What is a ransomware prevention checklist?

Here’s a ransomware prevention checklist to help your organization block, detect, and contain attacks before encryption:

Patch critical vulnerabilities within 48–72 hours, prioritizing internet-facing systems Enforce MFA on all accounts, especially VPN, RDP, and administrative access Deploy EDR on all endpoints with behavioral detection enabled
Centralize logs into SIEM with 24/7 monitoring and alerting Monitor for lateral movement, credential dumping, and shadow copy deletion Disable unused RDP ports and enforce VPN with MFA for remote access Apply network segmentation and implement zero-trust architecture Restrict administrative privileges using least-privilege principles Harden backup infrastructure with immutability and offline/air-gapped copies Secure cloud storage with MFA and monitor for unusual data exfiltration Run regular phishing simulations and security awareness training Conduct tabletop incident response exercises quarterly Maintain an incident response retainer with a trusted IR firm

Has Hunters International ransomware shut down?

In July 2025, Hunters International announced on their dark-web leak site that they were shutting down operations and offering free decryption keys to victims. However, security researchers remain skeptical about whether this represents a genuine shutdown or simply a rebranding effort. The group had previously announced a shutdown in November 2024 but continued operations afterward. In April 2025, researchers identified evidence that Hunters International was transitioning away from encryption-based ransomware toward a pure data theft and extortion model under a new name, “World Leaks.” Given the group’s history as a rebrand of the FBI-disrupted Hive ransomware operation, organizations should remain vigilant as the threat actors may simply re-emerge under a different identity while maintaining similar tactics and infrastructure.