The Hellcat group has been actively targeting critical organizations, combining extortion with ridicule of their victims. One of their recent attacks was on Schneider Electric, where they hacked the company and demanded “125,000 baguits” as ransom.
Operating under the Ransomware-as-a-Service (RAAS) model, Hellcat provides encryption tools and infrastructure for cyber attacks in exchange for a share of the profits. The group is believed to have high-ranking members on the BreachForums forum and employs double extortion tactics by stealing data and threatening to publish it if the ransom is not paid.
One of Hellcat’s distinct features is their desire to humiliate their victims. In the case of Schneider Electric, the attackers claimed to have stolen 40 GB of data and leaked 75,000 email addresses and names of company employees. The ransom demand of baguits was a mocking gesture towards the French giant.
CATO Networks uncovered a previously unknown vulnerability in the Atlassian Jira system that allowed Hellcat to penetrate Schneider Electric’s systems using “zero days” technique.
On the same day they hacked Schneider Electric, Hellcat also compromised the Ministry of Education in Jordan and leaked 500,000 records from the Tanzania College of Business, exposing personal and financial data of students and employees.
In November, Hellcat attempted to sell Root access to a US University generating over $5.6 billion annually for $1,500, compromising student records and financial systems. They also hacked the American telecommunication company Pinger, claiming to have stolen 111 GB of data including 9 million user entries, personal messages, and source codes.
In December, Hellcat continued their attacks by attempting to sell Root access to a French energy company’s server for $500 and hacking the municipal administration in Iraq, targeting critical infrastructure. Their activities highlight the increasing cyber threat and the group’s dangerous tactics of publicly humiliating their victims.