Hellcat Ransomware Group
| Founded | Mid-2024 |
|---|---|
| Years active | 2024–present |
| Territory | Global (operates via dark web) |
| Membership | Pryx (Adem), Rey (Saif), Grep, IntelBroker |
| Criminal activities | Ransomware as a service (RaaS), cyber extortion, data theft |
The Hellcat Ransomware Group is a cybercrime organization that emerged in mid-2024, operating as a notorious Ransomware as a service (RaaS) entity. The group targets government agencies, critical infrastructure, and corporations with highly sophisticated cyberattacks, employing double extortion tactics by encrypting systems and threatening to leak stolen data. Hellcat is known for exploiting zero-day vulnerabilities, using infostealer malware targeting Jira credentials, and employing humiliation tactics, such as demanding ransoms in unconventional forms (e.g., baguettes) to pressure victims.[1][2][3][4] The group is associated with BreachForums and Anonymous Palestine.[5]
History
Hellcat was formed in mid-2024 on BreachForums, initially named "ICA Group" before adopting its current name to avoid confusion with another entity.[6] The group rapidly gained notoriety by launching sophisticated attacks leveraging zero-day exploits on high-profile organizations, including Schneider Electric, The Knesset, and Jaguar Land Rover.[1][2][3][4] Its ransomware payloads share similarities with the Morpheus ransomware group, suggesting possible collaboration or shared tools.[3]
Tactics and Techniques
Hellcat employs highly sophisticated tactics, techniques, and procedures (TTPs), as documented by cybersecurity researchers.[3][7][4][8] Key methods include:
- Initial Access: Exploiting zero-day vulnerabilities in software like Jira and PAN-OS, alongside spear-phishing and infostealer malware (e.g., Raccoon, LummaStealer) to steal credentials.[9][3][4]
- Persistence: Deploying backdoors and modifying system settings to maintain access.[7]
- Data Exfiltration: Transferring stolen data via Secure File Transfer Protocol (SFTP) or cloud services.[8]
- Encryption: Using ransomware payloads that leverage the Windows Cryptographic API, leaving ransom notes in system directories.[3]
- Humiliation Tactics: Demanding ransoms in unconventional forms to generate media attention and pressure victims.[1]
Notable Attacks
Hellcat has conducted several high-profile cyberattacks, including:
| Victim | Date | Details |
|---|---|---|
| Schneider Electric | November 2024 | Exfiltrated 40GB of data, demanded $150,000, partly in baguettes.[4] |
| The Knesset | November 2024 | Stole 64GB of sensitive data.[1] |
| Barbados Revenue Authority | January 2025 | Breached vehicle registration database, exposing vehicle and owner data.[10] |
| Orange Group | February 2025 | Exfiltrated 6.5GB of data from Romanian operations, including 380,000 email addresses.[11] |
| Jaguar Land Rover | March 2025 | Breached via stolen Jira credentials, exfiltrated gigabytes of data.[2] |
| Dell | March 2025 | Leaked employee data.[12] |
Ransom demands range from 0.5 Bitcoin (approximately $48,756) to $350,000, communicated via email and platforms like GitHub.[13]
Membership
Hellcat's members operate under pseudonyms, with some details identified by cybersecurity researchers:
- Pryx (Adem): Founder, reportedly based in the United Arab Emirates, active on BreachForums and X (@holypryx). Linked to the Barbados Revenue Authority breach.[5]
- Rey (Saif): Based in Amman, Jordan, associated with Anonymous Palestine and the Orange Group breach.[5][11]
- Grep: Involved in attacks on Dell and CapGemini.[12]
- IntelBroker: Active in data breaches, including a significant breach at Los Angeles International Airport.[5][14]
Cybersecurity firm KELA has shared member profiles with law enforcement in the United States, Europe, and Asia-Pacific.[5]
Infrastructure
Hellcat coordinates through dark web forums like BreachForums and uses encrypted communication tools, including XMPP and Tox. Their leaks site, now defunct, was accessible via Tor.[13] The group employs anonymous VPS rentals paid with cryptocurrency.[7]
Law Enforcement and Mitigation
The FBI is investigating Hellcat, particularly for their use of infostealers in attacks like Jaguar Land Rover.[2] The Barbados Defence Force's Cyber Unit confirmed Pryx's involvement in the Barbados Revenue Authority breach.[10] Recommended mitigation strategies include:
- Deploying EDR tools to detect infostealer activity.
- Implementing multi-factor authentication (MFA) on systems like Jira.
- Adopting Zero Trust security models and maintaining offline backups.[8][9]
See also
References
- ↑ 1.0 1.1 1.2 1.3 "New Hellcat Ransomware Gang Employs Humiliation Tactics". Infosecurity Magazine. 2025-01-29. Retrieved 2025-05-30.
- ↑ 2.0 2.1 2.2 2.3 "Ahead of the Threat Podcast: Episode Eight - Scott Aaronson". FBI. 2025-03-26. Retrieved 2025-05-30.
- ↑ 3.0 3.1 3.2 3.3 3.4 3.5 "HellCat and Morpheus: Two Brands, One Payload as Ransomware Affiliates Drop Identical Code". SentinelOne. 2025-01-23. Retrieved 2025-05-30.
- ↑ 4.0 4.1 4.2 4.3 4.4 "HellCat Ransomware: What You Need To Know". Tripwire. 2025-04-03. Retrieved 2025-05-30.
- ↑ 5.0 5.1 5.2 5.3 5.4 "Hellcat Hacking Group Unmasked: Investigating Rey and Pryx". KELA Cyber. 2025-03-27. Retrieved 2025-05-30.
- ↑ "Threat Actor Interview: Spotlighting on Pryx – Admin of the Hellcat Ransomware Group". Osint10x. 2024-12-31. Retrieved 2025-05-30.
- ↑ 7.0 7.1 7.2 "Who are Hellcat Ransomware Group?". Bridewell. 2025-02-28. Retrieved 2025-05-30.
- ↑ 8.0 8.1 8.2 "HellCat Ransomware: Exposing the TTPs of a Rising Ransomware Threat in 2025". Picus Security. 2025-03-13. Retrieved 2025-05-30.
- ↑ 9.0 9.1 "HELLCAT Ransomware Group Strikes Again: Four New Victims Breached via Jira Credentials from Infostealer Logs". InfoStealers. 2025-04-05. Retrieved 2025-05-30.
- ↑ 10.0 10.1 "BRA Information Security Incident Analysis". Barbados ISSA. 2025-02-15. Retrieved 2025-05-30.
- ↑ 11.0 11.1 "Orange Group Breach: Hellcat Ransomware Group". Cyberpress. 2025-02-25. Retrieved 2025-05-30.
- ↑ 12.0 12.1 "Dell Investigates Data Breach Claims After Hacker Leaks Employee Info". BleepingComputer. 2025-03-10. Retrieved 2025-05-30.
- ↑ 13.0 13.1 "HellCat Ransomware". WatchGuard Technologies. 2024-10-25. Retrieved 2025-05-30.
- ↑ "Significant Data Breach at Los Angeles International Airport Admitted by IntelBroker". SC Media. 2025-05-15. Retrieved 2025-05-30.
External links
This article "Hellcat Ransomware Group" is from Wikipedia. The list of its authors can be seen in its historical and/or the page Edithistory:Hellcat Ransomware Group. Articles copied from Draft Namespace on Wikipedia could be seen on the Draft Namespace of Wikipedia and not main one.
