Threat Groups

Hellcat Ransomware Group

By Peter Bassill
7 Apr, 2025

1. Overview

Hellcat is a newly emerged ransomware group active since early 2024, known for its use of double extortion tactics and aggressive targeting of vulnerable infrastructure. Despite its relative youth in the cyber threat landscape, Hellcat has already demonstrated notable sophistication, including support for cross-platform environments and tailored encryption payloads for specific enterprise systems.

Hellcat has targeted victims across Europe, North America, and Southeast Asia, with particular emphasis on education, financial services, managed service providers, and engineering firms. The group operates a closed ransomware model, indicating internal execution rather than a public affiliate-based Ransomware-as-a-Service (RaaS) structure.

2. Origin and Evolution

Hellcat was first identified in the wild in February 2024, after an intrusion at a UK-based university resulted in the exfiltration and encryption of sensitive student data and research archives. Early samples of the group’s ransomware shared obfuscation and delivery characteristics similar to Cl0p and BlackCat, suggesting that experienced developers may be involved.

Since its emergence, Hellcat has expanded its capabilities to include payloads for Windows and Linux/ESXi environments, making it a threat to hybrid infrastructures. Its leak site, styled with overtly antagonistic branding, reflects a desire not only to extort, but to publicly shame and disrupt.

3. Tactics, Techniques, and Procedures (TTPs)

Hellcat follows a mature and deliberate attack chain, combining stealth, lateral movement, and staged payload deployment:

Initial Access:
Exploitation of known vulnerabilities in web applications (T1190), brute force attacks on RDP/VPN portals (T1110), and phishing campaigns (T1566.001) with spoofed invoices or MFA bypass lures.
Lateral Movement:
Use of RDP, Cobalt Strike, PsExec, and Remote WMI for lateral traversal (T1021), often preceded by credential harvesting with Mimikatz and LSASS dumps (T1003).
Data Exfiltration:
Data is extracted using Rclone, WinSCP, or custom exfiltration scripts, often staged in compressed archives for bulk transfer (T1041).
Encryption:
The ransomware payloads use hybrid AES-RSA encryption. Extensions such as .hellcat or .hcat are appended to locked files. In many cases, encryption is staged per subnet to maximise disruption.
Persistence & Evasion:
Use of LOLBins, scheduled tasks, and registry key modifications (T1112). Shadow copy deletion (T1490) is used to inhibit recovery.

4. Targeting Profile

Hellcat shows a preference for:

Educational institutions and research bodies
Financial service providers and private equity firms
Engineering and manufacturing companies
IT service providers and cloud infrastructure vendors

UK organisations in education and finance have already been listed on Hellcat’s leak site, underscoring the group’s intent to pressure via public exposure.

5. Notable Campaigns and Victims

Due to its recent emergence, Hellcat’s campaign history is still unfolding. However, known incidents include:

A UK-based university, with over 2TB of research data and student records stolen and partially leaked
A German engineering consultancy, where internal CAD designs and client IP were exfiltrated
A Southeast Asian managed services provider, where the group threatened client data exposure to multiply extortion pressure

In each case, Hellcat contacted victims via a TOR-based portal and published countdown timers alongside sample data leaks.

6. Ransomware and Leak Site Behaviour

Hellcat’s dark web leak portal features:

A scrolling list of victim logos and brief attack summaries
Countdown timers before full data publication
Download links to sample stolen files
A reputation system for “proof-of-breach” visibility

The group employs double extortion: encrypting the environment and threatening the release of stolen data. Ransom demands reportedly range from £250,000 to £3 million, and may vary based on the victim’s industry, size, and perceived recovery capability.

7. Technical Indicators

While campaign-specific, observed indicators of compromise include:

File extensions: .hellcat, .hcat
Executables dropped to %Temp% or %AppData% with randomised names
Use of rclone.exe and 7zip.exe for data compression and exfiltration
Registry edits disabling antivirus and recovery tools
Outbound C2 communication over port 443 to bulletproof hosting

Updated detection signatures and IOC packs are maintained by UK Cyber Defence Ltd.

8. Defensive Measures and Recommendations

To protect against Hellcat ransomware:

Enforce MFA on all external access points and administrator logins
Patch all internet-facing systems, especially VPNs, Exchange servers, and legacy web apps
Monitor for PowerShell misuse, suspicious RDP activity, and PsExec usage
Deploy EDR/XDR platforms with behavioural detection rules
Maintain offline backups, tested and segmented from the core network
Run regular incident response exercises, including data breach simulation

9. Attribution and Alliances

Hellcat has not been linked to a known ransomware collective or nation-state. However, based on similarities in malware behaviour and staging infrastructure, there may be loose operational links to ex-Conti or Cl0p affiliates. The group currently operates a closed model, with no known affiliate recruitment efforts.

10. Conclusion

Hellcat is a rising ransomware threat with a clear focus on data-rich, lightly defended environments. Its use of double extortion, public exposure tactics, and sophisticated payloads mark it as a credible and growing concern for UK and global organisations. Continuous detection, privileged access management, and a tested incident response plan remain essential in mitigating this adversary.

Author:
Threat Intelligence Team, UK Cyber Defence Ltd
All intelligence current as of May 2025

On May 20, 2025, Kettering Health’s network was hit by a ransomware attack, forcing 14 hospitals to switch to emergency reroutes and manual operations. The attack spread rapidly across critical systems due to undetected lateral movement, highlighting gaps in early threat detection. Patients reported suspicious calls, indicating potential data misuse. This incident underscores the urgent need for healthcare organizations to strengthen identity security, implement layered defenses, and prepare robust response plans.

Pro-Russian Cyber Activity: Hybrid Threats and the UK Response

An insights article assessing pro-Russian cyber activity with a situational briefing on hybrid threats to UK-aligned institutions. Includes a side-by-side comparison of key threat groups including KillNet, NoName057(16), and XakNet.

Donation-Based Ransomware Groups

An insights article comparing donation-model ransomware operators such as MalasLocker, exploring the ethics, tactics, and implications of threat actors who demand charitable giving instead of cryptocurrency payments.

Western Alliance Data Breach Tied to Cleo Software Flaw

Western Alliance Bank confirmed a data breach in April 2025 linked to a vulnerability in Cleo Integration Cloud. The breach, attributed to the Cl0p ransomware group, underscores the growing risks from third-party software vulnerabilities. Learn how the bank is responding and the increasing role of SOC in protecting financial institutions.

DBS Data Breach 2025: Ransomware Attack Exposes 11,000 Customers

An insights article examining the 2025 DBS data breach, focusing on how a ransomware attack on vendor Toppan Next Tech exposed thousands of customer records, and what it reveals about the growing threat of third-party supply chain vulnerabilities in the financial sector.

Emerging Ransomware Threats and Securing Open-Source Email Infrastructure

An insights article highlighting the rise of unconventional ransomware groups targeting open-source email platforms like Zimbra, including a technical bulletin with actionable guidance for UK organisations.

Stay Informed. Stay Secure.

Subscribe to our newsletter.