Hellcat Ransomware Attacking Organization In Raas Model With Affiliates

A significant threat in the cybersecurity landscape has emerged, dubbed Hellcat, a new ransomware group.

This ransomware group leverages a Ransomware-as-a-Service (RaaS) model to target critical sectors such as government, education, and energy.

First identified in mid-2024, Hellcat operates by providing ransomware tools and infrastructure to affiliates in exchange for a share of the ransom profits.

This decentralized model has allowed the group to scale attacks rapidly and target high-value entities.

Hellcat employs sophisticated double-extortion tactics. Affiliates first exfiltrate sensitive data before encrypting systems, threatening to leak the stolen information unless a ransom is paid.

CATO Networks researchers discovered that the group uses the Windows Cryptographic API for encryption, ensuring that file contents are encrypted without altering file extensions or metadata.

This approach minimizes system disruption while maximizing leverage over victims. Notably, Hellcat exploits vulnerabilities in enterprise tools to gain initial access.

For instance, in November 2024, the group infiltrated Schneider Electric’s Atlassian Jira system by exploiting a zero-day vulnerability.

This breach resulted in the theft of over 40GB of sensitive data, including project files and user information spanning 400,000 rows.

The group demanded $125,000 in Monero cryptocurrency but mockingly referred to the ransom as “baguettes” due to Schneider Electric’s French origins.

Hellcat’s payloads are nearly identical to those used by another RaaS group, Morpheus, suggesting shared infrastructure or codebase among affiliates.

Both groups exclude critical system files from encryption and use similar ransom note templates directing victims to .onion portals for payment negotiations.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

Notable Incidents

Hellcat’s attacks have targeted diverse sectors globally:-

• Schneider Electric: The breach exposed sensitive operational data and employee details. Despite public humiliation tactics, Schneider Electric declined to pay the ransom.

• Tanzania’s College of Business Education: In November 2024, Hellcat leaked over 500,000 records containing personal and billing information of students and staff.

• U.S. University: The group offered root access to a university’s server for $1,500 on dark web forums, risking exposure of student records and financial systems.

• Iraq City Government: Root access to municipal servers was advertised for $300, highlighting the group’s intent to disrupt public services.

Organizations must adopt robust cybersecurity measures to mitigate such threats. Implementing Zero Trust Network Access (ZTNA) frameworks enhances security by restricting unauthorized access.

Regularly patching vulnerabilities in enterprise tools like Jira helps close potential entry points for attackers. Additionally, deploying advanced threat detection systems capable of identifying ransomware behaviors strengthens overall defense against cyber threats.

Hellcat’s reliance on the RaaS model has made high-profile attacks more accessible to affiliates, posing significant challenges for cybersecurity professionals worldwide.

Collect Threat Intelligence with TI Lookup to improve your company’s security - Get 50 Free Request