Tuesday, May 13, 2025
Homecyber securityHellcat Ransomware Attacking Government Organizations & Educational Institutions

Hellcat Ransomware Attacking Government Organizations & Educational Institutions

Published on

SIEM as a Service

Follow Us on Google News

A new ransomware gang, Hellcat, emerged on dark web forums in 2024, targeting critical infrastructure, government organizations, educational institutions, and the energy sector.

Operating on a ransomware-as-a-service (RaaS) model, Hellcat offers ransomware tools and infrastructure to affiliates in exchange for a profit share.

The group relies on double extortion techniques, combining data theft with system encryption to maximize victim compliance.

- Advertisement - Google News

This approach also integrates psychological tactics such as humiliation and public pressure, emphasizing the group’s notable sophistication.

A Surge of Attacks

Hellcat’s activity surged in late 2024, with three attacks reported on November 14 alone.

On November 2, Hellcat infiltrated Schneider Electric SE, a French energy company.

Hellcat ransomware
Schneider Electric SE ransom demand

The attackers exploited vulnerabilities in the company’s Jira project management system, exfiltrating more than 40GB of sensitive data, including 75,000 email addresses and rows of customer information.

The gang demanded $125,000 in cryptocurrency labeled as “Baguettes,” mocking the company’s French roots.

On November 4, Hellcat targeted Tanzania’s College of Business Education, leaking over 500,000 records of students, faculty, and staff.

The attack was carried out in collaboration with “Hikkl-Chan,” a threat actor previously implicated in major data breaches.

Days later, Hellcat shifted focus to a prominent U.S. university on November 14.

Offering root access to the university’s server on dark web forums for $1,500, the group threatened access to student records, financial systems, and critical operational data.

Continued Escalation

December attacks showcased Hellcat’s growing ambitions. The group targeted a French energy distribution company and an Iraqi city government on the same day, December 1.

Hellcat ransomware
Sale of root access for Iraq city government

Hellcat advertised root access to the French company’s servers, valued at $7 billion in annual revenue, for $500.

Similarly, root access to Iraqi government servers, critical for public services, was sold for $300.

This attack followed a pattern of targeting Iraq’s digital infrastructure, including a supply chain breach earlier in the year that exposed 21.58GB of voter data.

Hellcat employs advanced TTPs to exploit zero-day vulnerabilities in enterprise tools such as Jira in the Schneider Electric SE attack and escalate privileges to admin or root levels.

They target firewalls and critical infrastructure, further amplifying the scale of damage.

The group’s double extortion strategy compromises sensitive data before encryption, ensuring maximum leverage over victims.

Hellcat’s emergence underscores a troubling shift in the ransomware landscape.

By operationalizing RaaS and psychological coercion, the group has broadened the scope and impact of ransomware attacks.

Their focus on high-value sectors including education, government, and energy highlights the urgency for stronger cybersecurity measures.

Organizations must adopt proactive solutions like Cato SASE Cloud to disrupt the ransomware attack chain and mitigate emerging threats from sophisticated actors like Hellcat.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Lumma Stealer Upgraded with PowerShell Tools and Advanced Evasion Techniques

Sophos Managed Detection and Response (MDR) in September 2024, the notorious Lumma Stealer malware...

New Noodlophile Malware Spreads Through Fake AI Video Generation Platforms

Cybercriminals have unleashed a new malware campaign using fake AI video generation platforms as...

Kimsuky Hacker Group Deploys New Phishing Techniques and Malware Campaigns

The North Korean state-sponsored Advanced Persistent Threat (APT) group Kimsuky, also known as “Black...

APT37 Hackers Use Weaponized LNK Files and Dropbox for Command-and-Control Operations

The North Korean state-sponsored hacking group APT37, also known as ScarCruft, launched a spear...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Lumma Stealer Upgraded with PowerShell Tools and Advanced Evasion Techniques

Sophos Managed Detection and Response (MDR) in September 2024, the notorious Lumma Stealer malware...

New Noodlophile Malware Spreads Through Fake AI Video Generation Platforms

Cybercriminals have unleashed a new malware campaign using fake AI video generation platforms as...

Kimsuky Hacker Group Deploys New Phishing Techniques and Malware Campaigns

The North Korean state-sponsored Advanced Persistent Threat (APT) group Kimsuky, also known as “Black...