Evolution from ransomware to pure extortion
World Leaks represents a significant shift in the ransomware ecosystem, moving away from file encryption toward pure data extortion. The group is a rebrand of Hunters International, which launched in late 2023 and claimed over 280 attacks worldwide before rebranding in January 2025.
The threat actors now focus exclusively on stealing data using custom-made exfiltration tools, avoiding the legal and technical complexities associated with ransomware deployment. Since launching as World Leaks, the group has published data from 49 organizations on its leak site, though Dell has not been listed among the victims.
“To avoid being caught off guard in these situations, organizations must be prepared to respond to any type of attack strategy,” Costis advised. “Utilizing adversarial emulation allows security teams to test their defenses against baseline behaviors associated with common ransomware groups. This way, organizations can shut off access to sensitive information that attackers are after, which removes leverage from groups demanding ransoms.” World Leaks affiliates have also been linked to recent exploitation campaigns targeting end-of-life SonicWall SMA 100 devices, where attackers deployed a sophisticated OVERSTEP rootkit, demonstrating the group’s expanding attack capabilities beyond simple data theft.
