Hellcat Ransomware Attacking Government Organizations & Educational Institutions

A new ransomware gang, Hellcat, emerged on dark web forums in 2024, targeting critical infrastructure, government organizations, educational institutions, and the energy sector.

Operating on a ransomware-as-a-service (RaaS) model, Hellcat offers ransomware tools and infrastructure to affiliates in exchange for a profit share.

The group relies on double extortion techniques, combining data theft with system encryption to maximize victim compliance.

This approach also integrates psychological tactics such as humiliation and public pressure, emphasizing the group’s notable sophistication.

A Surge of Attacks

Hellcat’s activity surged in late 2024, with three attacks reported on November 14 alone.

On November 2, Hellcat infiltrated Schneider Electric SE, a French energy company.

The attackers exploited vulnerabilities in the company’s Jira project management system, exfiltrating more than 40GB of sensitive data, including 75,000 email addresses and rows of customer information.

The gang demanded $125,000 in cryptocurrency labeled as “Baguettes,” mocking the company’s French roots.

On November 4, Hellcat targeted Tanzania’s College of Business Education, leaking over 500,000 records of students, faculty, and staff.

The attack was carried out in collaboration with “Hikkl-Chan,” a threat actor previously implicated in major data breaches.

Days later, Hellcat shifted focus to a prominent U.S. university on November 14.

Offering root access to the university’s server on dark web forums for $1,500, the group threatened access to student records, financial systems, and critical operational data.

Continued Escalation

December attacks showcased Hellcat’s growing ambitions. The group targeted a French energy distribution company and an Iraqi city government on the same day, December 1.

Hellcat advertised root access to the French company’s servers, valued at $7 billion in annual revenue, for $500.

Similarly, root access to Iraqi government servers, critical for public services, was sold for $300.

This attack followed a pattern of targeting Iraq’s digital infrastructure, including a supply chain breach earlier in the year that exposed 21.58GB of voter data.

Hellcat employs advanced TTPs to exploit zero-day vulnerabilities in enterprise tools such as Jira in the Schneider Electric SE attack and escalate privileges to admin or root levels.

They target firewalls and critical infrastructure, further amplifying the scale of damage.

The group’s double extortion strategy compromises sensitive data before encryption, ensuring maximum leverage over victims.

Hellcat’s emergence underscores a troubling shift in the ransomware landscape.

By operationalizing RaaS and psychological coercion, the group has broadened the scope and impact of ransomware attacks.

Their focus on high-value sectors including education, government, and energy highlights the urgency for stronger cybersecurity measures.

Organizations must adopt proactive solutions like Cato SASE Cloud to disrupt the ransomware attack chain and mitigate emerging threats from sophisticated actors like Hellcat.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free