The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

HellCat Ransomware Targets Energy Giant Schneider Electric

Nov 15, 2024 12:52:13 PM / by The Hivemind

HELLCATRelated Families: HellDown
Verticals Targeted: Energy

Executive Summary

HellCat ransomware recently targeted French energy giant Schneider Electric. PolySwarm analysts consider HellCat to be an emerging threat.

Key Takeaways

  • HellCat ransomware was recently observed targeting the energy vertical.
  • HellCat reportedly managed to access Schneider Electric's developer platform, stealing over 40GB of data from the company’s JIRA server.
  • A HellCat affiliate indicated HellCat is a rebrand of Grep, and an industry source categorizes HellCat as part of the HellDown ransomware family.
  • PolySwarm analysts consider HellCat to be an emerging and evolving threat. 

What is HellCat?

HellCat ransomware recently targeted French energy giant Schneider Electric. Multiple cybersecurity news sources, including The Register, reported on this incident. PolySwarm analysts consider HellCat to be an emerging and evolving threat. 

Industry reports currently have few technical details on HellCat ransomware or the attack vector used to target Schneider Electric. It is known that HellCat reportedly managed to access Schneider Electric's developer platform, stealing over 40GB of data from the company’s JIRA server. On HellCat’s extortion site, the threat actors behind the attack noted that critical data was stolen in the breach, including projects, plugins, issues, and over 400,000 rows of user data. 

HellCat is using a double extortion model, threatening to leak the stolen data if the ransom is not paid. HellCat made the unusual demand that the $125,000 USD ransom be paid in baguettes rather than currency or cryptocurrency. In addition to targeting Schneider Electric, HellCat has reportedly targeted entities in the government and education verticals. Targets have been located in France, Tanzania, Jordan, and Israel. 

HellCat’s Origins

According to BleepingComputer, HellCat is a rebrand of the threat actor group Grep. A Grep affiliate reportedly told BleepingComputer the group had initially rebranded to International Contract Agency (ICA). After learning ICA is also the acronym of an Islamic extremist group, the threat actors rebranded yet again, settling on the name HellCat. The affiliate who spoke to BleepingComputer also noted the threat actors historically did not extort their victims. According to the affiliate, the group only recently developed and began using their encryptor.

One industry source tagged HellCat as being the same as HellDown+++, which appears to refer to HellDown ransomware. HellDown ransomware was first observed in August 2024 and is associated with a threat actor known as Greppy. Despite exhibiting a moderate level of sophistication, the group appears to target opportunistically. HellDown has been observed targeting entities in the NGO, manufacturing, healthcare, energy, business services, telecommunications, transportation, and education verticals. 

IOCs

PolySwarm has a sample of HellCat.

 

6ef9a0b6301d737763f6c59ae6d5b3be4cf38941a69517be0f069d0a35f394dd

 

You can use the following CLI command to search for all HellCat samples in our portal:

$ polyswarm link list -f HellCat

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Critical Infrastructure, Ransomware, Energy, Emerging Threat, Evolving Threat

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More