- Have a .gov email address? You can get Perplexity Pro free for a year - here's now
- Mistral AI says its Small 3 model is a local, open-source alternative to GPT-4o mini
- Timeline of HPE’s $14 billion bid for Juniper
- Important Updates Announced for Merchants Validating to Self-Assessment Questionnaire A
- The smartwatch I'm most excited for in 2025 isn't an Apple Watch or Google Pixel
New Hellcat Ransomware Gang Employs Humiliation Tactics
The recently emerged HellCat ransomware gang is using psychological tactics to court public attention and pressure victims to pay extortion demands.
This is according to an analysis of the ransomware-as-a-service (RaaS) group by Cato Networks, published on January 28.
The group, which emerged in mid-2024, has so far focused on high-value targets, such as government and critical sectors like energy and education.
Speaking to Infosecurity, Etay Maor, Chief Security Strategist at Cato Networks, noted the connection between HellCat’s choice of victims and those who are typical targets of nation state actors.
HellCat has utilized novel ransomware demands to gain direct media coverage of their activities. This includes demanding $125,000 in “baguettes” from French energy giant Schneider Electric after exfiltrating more than 40GB of sensitive data from the firm.
“Humiliation is a major psychological tactic leveraged by Hellcat,” Maor noted in the Cato Networks blog.
Maor said that the psychological approach used by HellCat marked a “troubling shift” in the ransomware ecosystem.
Other ransomware actors have employed novel approaches to gain media attention and increase pressure on victims in recent years. This includes the BlackCat gang reporting one of its victims, MeridianLink, to US Securities and Exchange Commission (SEC).
Double Extortion and Vulnerability Exploitation
HellCat and its affiliates deploy double-extortion tactics, with a focus on exfiltrating data before encrypting systems.
In several cases in November and December 2024 the research highlighted the group had posted root access to compromised victims’ servers for sale on dark web forums.
This included a major US university with annual revenue exceeding $5.6bn, a French energy distribution firm with an annual revenue exceeding $7bn and the Iraq City government.
Such access could result in sensitive data being stolen and critical systems being disrupted.
Maor told Infosecurity that this approach is separate from publishing or threatening to publish victims data but is a typical tactic used by RaaS operators.
“The attackers are offering root access to servers (in many cases to the firewall servers that are supposed to keep them out), thereby offering potential affiliates to have access to the target’s network and perform a ransomware attack,” he explained.
HellCat has also been observed exploiting vulnerabilities in enterprise software tools to gain initial access into systems. This included infiltrating the internal Jira project management system of Schneider Electric.
Privilege escalation to root or admin levels has also been used to enable persistence and move laterally within a network.
Research in January 2025 by SentinelOne highlighted similarities in the malware and other tactics used by HellCat and another ransomware group, Morpheus, suggesting the groups’ affiliates are using shared infrastructure.
HellCat actors were reportedly behind a ransomware attack on telco giant Telfonica in January 2025, resulting in over 236,000 lines of customer data being stolen. The attackers posted an exfiltrated Jira database on a hacking forum.
