DARKTRACE reports that World Leaks, the rebrand of Hunters International, carried out an attack that involved both data exfiltration and encryption, contradicting prior claims that the group had abandoned encryption. In January 2026, Darktrace identified ransomware and data encryption within a healthcare organisation’s network, despite Autonomous Response actions that had initially blocked suspicious activity.
Investigations traced initial access to a Fortigate appliance in mid-October 2025, with threat actors using living-off-the-land techniques for lateral movement and Cloudflare Tunnel for C2 communications. A significant volume of data was exfiltrated to MEGA, and the attack culminated in the encryption of customer data, accompanied by a ransom note and a nine-character string appearing before README[.]txt.
The operation also involved SMB activity, with world[.]exe and task[.]bat observed on the network as part of the ransomware payload deployment. Darktrace notes that World Leaks has blended extortion and encryption in the past, underscoring the need for adaptive, proactive network defence.