Hellcat Ransomware: Attacks on Organizations via the RaaS Model Are on the Rise

A new and serious threat has emerged in the cybersecurity landscape – a ransomware group called Hellcat. This group leverages the Ransomware-as-a-Service (RaaS) model to target critical sectors such as government, education, and energy. Hellcat was first identified in mid-2024 and operates through its affiliates, providing them with ransomware tools and infrastructure in exchange for a share of the ransom profits. This decentralized model allows the group to rapidly scale attacks and target high-value organizations.

Hellcat employs a dangerous double extortion tactic. First, the attackers exfiltrate sensitive data and then encrypt the systems, threatening to leak the stolen information if the ransom is not paid. Researchers at CATO Networks discovered that the group uses the Windows Cryptographic API for encryption, which allows them to encrypt file contents without altering file extensions or metadata. This approach minimizes system disruption while maximizing pressure on the victims.

Hellcat also exploits vulnerabilities in corporate systems to gain access. For example, in November 2024, the group breached Schneider Electric‘s Atlassian Jira system by exploiting a zero-day vulnerability. This breach resulted in the theft of over 40 GB of sensitive data, including project files and user information spanning 400,000 rows. The group demanded a ransom of 125,000 dollars in Monero cryptocurrency but jokingly referred to the ransom as “baguettes” due to Schneider Electric’s French origins.

Hellcat’s files are strikingly similar to those used by another RaaS group, Morpheus. This suggests the possible use of shared infrastructure or codebases. Both groups avoid encrypting critical system files and use templated ransom notes, directing victims to .onion sites (anonymous Tor websites) for payment negotiations. These messages follow a standardized format.

Hellcat has targeted various sectors worldwide:

• Schneider Electric: The attack exposed sensitive operational data and employee personal information. The company refused to pay the ransom, but the hackers attempted to publicly mock them.
• Tanzania College of Business Education: In November 2024, Hellcat leaked over 500,000 records containing personal and billing information of students and staff.
• A U.S. University: The group offered full access to the university’s servers for $1,500 on the dark web, risking the exposure of student records and financial systems.
• An Iraqi City Government: Hellcat offered access to municipal servers for just $300, highlighting their intent to disrupt public services.

To counter such threats, organizations should take the following measures:

1. Proactive Security Measures: Regularly update systems, audit, and patch vulnerabilities, especially in corporate tools like Jira.
2. Continuous Monitoring: Monitor network activity and promptly identify suspicious behavior.
3. Strict Access Control: Implement approaches like Zero Trust to restrict access to authorized users and devices only.
4. Employee Training: Regularly train employees on cybersecurity basics to prevent phishing attacks and other threats.

Hellcat utilizes the Ransomware-as-a-Service (RaaS) model, making large-scale attacks more accessible to affiliates. This creates significant challenges for cybersecurity professionals, as the number and complexity of attacks are rapidly increasing.

The activities of groups like Hellcat represent a new and serious threat in the cybersecurity world. Organizations must adopt proactive approaches, regularly update their systems, and train employees to protect themselves from cyberattacks. Only continuous monitoring and strict security measures can provide reliable protection in the face of growing cyber threats.