Cato CTRL Threat Research: Unmasking Hellcat – Not Your Average Ransomware Gang

Executive Summary 

There’s a new ransomware gang targeting critical infrastructure, government organizations, educational institutions, and energy sectors.

Their name? 

Hellcat. 

But who exactly are they? 

Hellcat is a new ransomware gang that has surfaced across dark web forums in 2024. Hellcat employs a ransomware-as-a-service (RaaS) model, offering ransomware tools and infrastructure to affiliates in exchange for a share of the profits. 

Hellcat’s double extortion tactics indicate a deeper psychological element aimed at humiliation and public pressure. This blog provides a summary of notable activity by Hellcat in November and December 2024. These are a mix of observations from Cato CTRL and third-party sources.

With the Cato SASE Cloud Platform, organizations can leverage the security stack to kill the ransomware attack chain as quickly as possible. 

• Cato IPS: Includes data from numerous threat intelligence sources and can block potential ransomware, including:
  • Access to suspected websites that are likely to be associated with different threats (such as malware C&C, ransomware, phishing, and so on). 
  • Suspected malicious host that is attempting to spread ransomware. 
  • Lateral traffic over the WAN that would leverage the threat actor for the ransomware
• Cato FWaaS: protects users from accessing malicious websites (such as the malware category) where they can accidentally download a malicious payload that could contain ransomware.
• Cato NGAM: provides an additional layer of protection and contributes to the Cato ZTNA (Zero Trust Network Access). These engines prevent any malicious downloads attempts and block the related ransomware before they are executed on the user’s device.

Technical Overview 

Ransom Demands & Attack Targets

Below is a detailed breakdown of double extortion attacks by Hellcat in November 2024. It should be worth noting that the group and its affiliates launched three attacks on November 14, 2024.

Schneider Electric SE (November 2, 2024)

Figure 1. Schneider Electric SE ransom demand (source: Bleeping Computer)

Incident details: Per Bleeping Computer, Hellcat infiltrated the internal Jira project management system of Schneider Electric SE, a French energy company, and compromised 400,000 rows of user data and exfiltrated more than 40GB of sensitive information. Among the leaked data were 75,000 unique email addresses and full names of Schneider Electric employees and customers.

The group demanded $125,000 USD in “Baguettes” to further mock the company. Humiliation is a major psychological tactic leveraged by Hellcat.

Tanzania’s College of Business Education (November 4, 2024)

Figure 2. Tanzania’s College of Business data leak

Incident details: Hellcat claimed it published over 500,000 records of students, faculty, and staff containing PII in collaboration with “Hikkl-Chan”. Per Hackread, the same threat actor had previously leaked the sensitive data of over 390 million users from VKontakte (VK), a Russian social networking site.

Major U.S. University (November 14, 2024)

Figure 3. Sale of root access for U.S. university

Incident details: Per Cato CTRL’s findings, the group shifted their focus toward a U.S. university with annual revenue exceeding $5.6 billion USD. They posted root access to the university’s server for sale on dark web forums for the “low cost” of $1,500 USD. Such access could compromise student records, financial systems, and critical operational data, potentially leading to severe reputational damage and legal consequences for the institution.

French Energy Distribution Company (December 1, 2024)

Figure 4. Sale of root access for French energy distribution company

Incident details: Per Cato CTRL’s findings, the group targeted a French energy distribution company with an annual revenue exceeding $7 billion USD. The group offered root access to the company’s server for $500 USD.

Iraq City Government (December 1, 2024)

Figure 5. Sale of root access for Iraq city government

Incident details: Per Cato CTRL’s findings, the group advertised root access to the Iraq city government’s servers for $300 USD, emphasizing their intent to disrupt critical public services. This was not the first time the Iraqi government had been targeted. Per Resecurity, a database containing 21.58GB of voter data and PII from Iraq’s Independent High Electoral Commission (IHEC) was leaked in a supply chain attack.

TTPs Used in Attacks 

Cato CTRL uncovered a deeper analysis of the tactics, techniques, and procedures (TTPs) used by Hellcat including:

• Exploiting zero-day vulnerabilities exploits in enterprise tools, such as Jira for the Schneider Electric SE attack. 
• Attacks targeting firewalls and critical infrastructure, as evidenced in the attacks against a U.S. university and French energy distribution company. 
• Privilege escalation to root or admin levels. 
• Double extortion to exfiltrate data before encrypting target systems.

Conclusion 

Hellcat’s emergence in 2024 marks a troubling shift in the landscape of cybercrime. By leveraging a RaaS model and utilizing double extortion tactics, Hellcat has not only increased the accessibility of ransomware but also heightened the psychological impact on its victims. This gang’s focus on sectors such as government, education, and energy highlights the critical need for enhanced cybersecurity measures and vigilance to protect against this emerging ransomware gang. The ongoing battle against ransomware requires constant adaptation and awareness to outsmart these increasingly sophisticated cybercriminals. 

Protections

With the Cato SASE Cloud Platform, organizations can leverage the security stack to kill the ransomware attack chain as quickly as possible. 

• Cato IPS: Includes data from numerous threat intelligence sources and can block potential ransomware, including
  • Access to suspected websites that are likely to be associated with different threats (such as malware C&C, ransomware, phishing, and so on).
  • Suspected malicious host that is attempting to spread ransomware.
  • Lateral traffic over the WAN that would leverage the threat actor for the ransomware. 
• Cato FWaaS: protects users from accessing malicious websites (such as the malware category) where they can accidentally download a malicious payload that could contain ransomware. 

Cato NGAM: provides an additional layer of protection and contributes to the Cato ZTNA (Zero Trust Network Access). These engines prevent any malicious downloads attempts and block the related ransomware before they are executed on the user’s device.