Speech & Audio

Baguettes bandits strike again with ransomware, humiliation • The Register

Baguettes bandits strike again with ransomware, humiliation • The Register


Hellcat, the ransomware crew that infected Schneider Electric and demanded $125,000 in baguettes, has aggressively targeted government, education, energy, and other critical industries since it emerged around mid-2024.

Like many of the emerging cybercrime organizations, Hellcat uses a ransomware-as-a-service business model, offering infrastructure, encryption tools, and other malware to affiliates in exchange for a portion of the profits. Its primary operators seem to be high-ranking BreachForums members [PDF].

Hellcat also uses double-extortion tactics, as do most ransomware gangs these days. First, it breaks into victims’ networks and steals their files, then it locks up the data and threatens to leak or sell sensitive information if the organization doesn’t pay the extortion demand.

But what makes this group especially concerning, according to threat researchers, is its high-profile targets and penchant for humiliating its victims.

This was the case with the November Schneider Electric attack, during which the criminals claimed to have stolen 40GB of compressed data. Before leaking 75,000 email addresses and full names of Schneider Electric employees and customers, Hellcat demanded that the French energy management giant pay $125,000 in baguettes. 

Humiliation is a major psychological tactic leveraged by Hellcat

The move was intended “to further mock the company,” Cato Networks Chief Security Strategist Etay Maor said in a report published on Tuesday. “Humiliation is a major psychological tactic leveraged by Hellcat.”

Plus, the crooks gained access to Schneider Electric’s infrastructure via a previously unknown bug in its Atlassian Jira system. Maor also pointed to this point of entry, exploiting zero-day vulnerabilities in enterprise tools, as one of Hellcat’s commonly used tactics, techniques, and procedures (TTPs).

While Schneider Electric confirmed to The Register at the time that it was “investigating a cybersecurity incident,” it never publicly copped to not paying the dough.

On the same day that it bragged about the Schneider Electric breach, Hellcat also claimed to have compromised sensitive documents from Jordan’s Ministry of Education and leaked over 500,000 records from Tanzania’s College of Business containing personal and financial info belonging to students, faculty, and staff.

Later that month, the group posted for sale root access to a US university with revenue exceeding $5.6 billion. The extortionists offered root access to a university server for the “low cost” of $1,500.

“Such access could compromise student records, financial systems, and critical operational data, potentially leading to severe reputational damage and legal consequences for the institution,” Maor wrote.

The university’s name never came to light, and we don’t know if it paid the ransom demand.

Also in November, Hellcat listed Pinger, a US telecoms company and app developer. The miscreants claimed to have stolen 111 GB of data, including 9 million user records, private messages, voice messages, backend systems, internal tools, and source codes, and threatened to release all of the data if the organization didn’t pay up.

Pinger didn’t immediately respond to The Register‘s questions, including if the criminals’ claims were true and if the outfit paid the ransom.

Hellcat’s attacks continued into December, with the crew listing a $7 billion French energy distribution company and attempting to sell root access to a server for $500.

The group also advertised root access to an Iraq city government’s servers for $300, “emphasizing their intent to disrupt critical public services,” according to Maor. ®

Baguettes bandits strike again with ransomware, humiliation • The Register

Source link