Hellcat, the ransomware crew that infected Schneider Electric and demanded $125,000 in baguettes, has aggressively targeted government, education, energy, and other critical industries since it emerged around mid-2024.
Like many of the emerging cybercrime organizations, Hellcat uses a ransomware-as-a-service business model, offering infrastructure, encryption tools, and other malware to affiliates in exchange for a portion of the profits.Ā Its primary operators seem to be high-ranking BreachForums members [PDF].
Hellcat also uses double-extortion tactics, as do most ransomware gangs these days. First, it breaks into victimsā networks and steals their files, then it locks up the data and threatens to leak or sell sensitive information if the organization doesnāt pay the extortion demand.
But what makes this group especially concerning, according to threat researchers, is its high-profile targets and penchant for humiliating its victims.
This was the case with the November Schneider Electric attack, during which the criminals claimed to have stolen 40GB of compressed data. Before leaking 75,000 email addresses and full names of Schneider Electric employees and customers, Hellcat demanded that the French energy management giant pay $125,000 in baguettes.Ā
Humiliation is a major psychological tactic leveraged by Hellcat
The move was intended āto further mock the company,ā Cato Networks Chief Security Strategist Etay Maor said in a report published on Tuesday. āHumiliation is a major psychological tactic leveraged by Hellcat.ā
Plus, the crooks gained access to Schneider Electricās infrastructure via a previously unknown bug in its Atlassian Jira system. Maor also pointed to this point of entry, exploiting zero-day vulnerabilities in enterprise tools, as one of Hellcatās commonly used tactics, techniques, and procedures (TTPs).
While Schneider Electric confirmed to The Register at the time that it was āinvestigating a cybersecurity incident,ā it never publicly copped to not paying the dough.
On the same day that it bragged about the Schneider Electric breach, Hellcat also claimed to have compromised sensitive documents from Jordanās Ministry of Education and leaked over 500,000 records from Tanzaniaās College of Business containing personal and financial info belonging to students, faculty, and staff.
Schneider Electric ransomware crew demands $125k paid in baguettes
Ransomware scum make it personal for Reg readers by impersonating tech support
Medusa ransomware group claims attack on UKās Gateshead Council
Security pros more confident about fending off ransomware, despite being battered by attacks
Later that month, the group posted for sale root access to a US university with revenue exceeding $5.6 billion. The extortionists offered root access to a university server for the ālow costā of $1,500.
āSuch access could compromise student records, financial systems, and critical operational data, potentially leading to severe reputational damage and legal consequences for the institution,ā Maor wrote.
The universityās name never came to light, and we donāt know if it paid the ransom demand.
Also in November, Hellcat listed Pinger, a US telecoms company and app developer. The miscreants claimed to have stolen 111 GB of data, including 9 million user records, private messages, voice messages, backend systems, internal tools, and source codes, and threatened to release all of the data if the organization didnāt pay up.
Pinger didnāt immediately respond to The Registerās questions, including if the criminalsā claims were true and if the outfit paid the ransom.
Hellcatās attacks continued into December, with the crew listing a $7 billion French energy distribution company and attempting to sell root access to a server for $500.
The group also advertised root access to an Iraq city governmentās servers for $300, āemphasizing their intent to disrupt critical public services,ā according to Maor. Ā®
Too bad