What is HellCat?
HellCat is the name of a relatively new ransomware-as-a-service (RaaS) group that first came to prominence in the second half of 2024. Like many other ransomware operations, HellCat breaks into organisations, steals sensitive files, and encrypts computer systems – demanding a ransom payment for a decryption key and to prevent the leaking of stolen files.
So it’s your typical “double extortion” threat?
Yes, although HellCat has been known to take a rather unusual twist on things when it comes to plying on the pressure.
What do you mean?
Well, for instance, when it claimed to have stolen approximately 40GB of sensitive data from French energy giant Schneider Electric, it demanded part of the ransom be paid “in baguettes.”
What???
Yes, they asked that $125,000 worth of the ransom be paid in baguettes.
And did HellCat find themselves rolling in the dough?
Oh, very droll. Well, Schneider Electric has not public disclosed whether it paid the ransom (let alone delivered some baked goods) to HellCat. However, the fact that the ransomware group did leak data from the company does imply non-payment.
I guess it’s a case of Loaf and Let Die?
Stop it. That’s enough. You knead to calm down.
Seriously, why would a ransomware gang demand baguettes?
Some have suggested that it’s a way to humiliate the victim of the ransomware. Others have speculated that it’s just the ransomware group trying to get publicity for itself through an absurd ransom demand. It’s unlikely that the gang really wanted that many baguettes… I mean, think of all of those carbs… My hunch is that it was a childish joke that the ransomware gang thought was funny, as Schneider Electric is headquartered in France – the spiritual home of the baguette.
You say “childish”. Does that mean the ransomware gang is a bunch of kids?
It’s hard to tell for sure. But security researchers have attempted to identify key members of the HellCat group, and one of its key figures claims to be in his late teens.
Who’s that?
The alleged founder and one of the administrators of HellCat goes by the handle of “Pryx” and claimed last year to be 17 years old. In an interview conducted last December, someone claiming to be Pryx also that he was most interested in targeting US and Israeli organaisations, with a focus on the government sector and businesses generating a high revenue.
Aside from Schneider Electric, what other organisations has HellCat hit?
Reported victims of the HellCat ransomware have included Israel’s parliament The Knesset (extracting 64GB of sensitive data), Jordan’s Ministry of Education (stealing images of ID cards, divorce papers, and various letters addressed to the Minister), and mobile device provider Transsion.
How will I know if my organisation has been hit by HellCat?
It will be pretty obvious when you see the ransom demand.
The note left by the attackers, promises that paying the ransom will not only deliver you the decryptor, but also “a description of your network vulnerabilities and information security recommendations.”
Is there any other way to decrypt my files?
Unfortunately at the time of writing, there is no publicly available decryption tool for HellCat. If you don’t have backups of your files, you might find yourself in a sticky pickle.
So how can my company protect itself from HellCat?
The best advice is to follow the recommendations on how to protect your organisation from other ransomware. Those include:
- making secure offsite backups.
- running up-to-date security solutions and ensuring that your computers and network devices are properly configured and protected with the latest security patches against vulnerabilities.
- using hard-to-crack unique passwords to protect sensitive data and accounts, as well as enabling multi-factor authentication.
- encrypting sensitive data wherever possible.
- reducing the attack surface by disabling functionality that your company does not need.
- educating and informing staff about the risks and methods used by cybercriminals to launch attacks and steal data – such as phishing attacks.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor and do not necessarily reflect those of Tripwire.
