
Recently, a screenshot surfaced publicly revealing that the Hellcat group has developed its own ransomware, with potential activity expected to emerge in 2025. Curious to learn more, we reached out to Miyako, one of the administrators of the Hellcat ransomware group, for a conversation. Miyako revealed that the ransomware group plans to focus primarily on government entities and high-revenue organizations as their targets.

Stay Updated with Our Newsletter
Tactics, Techniques, and Procedures (TTPs)
The conversation revealed one of the group’s Tactics, Techniques, and Procedures (TTPs) employed to infiltrate an Indonesian government entity. The initial access was obtained in the firewall through the exploitation of a recently disclosed authentication bypass vulnerability on Palo Alto Networks PAN-OS software tracked as CVE-2024-0012. The compromised server led the attackers to move laterally into the database server. This pivoting technique is common for attackers aiming to access valuable data stored on separate systems.

Further, the attackers discovered a Firebird database system with default credentials.
Username: SYSDBA
Password: [redacted]
Using these credentials, the attacker gained full access to the database files.

The database server stored backups on the same server, which is a poor security practice.
The attacker exfiltrated approximately 82GB of data, stopping early due to finding the remaining data (backups from 2017 and earlier) as unimportant.
Without access to an automated ransomware locker, the attacker manually encrypted and deleted files after exfiltration.
The following screenshots have been shared by Miyako.



What Led to the Attack
- The presence of a known RCE vulnerability in the web application.
- Use of default database credentials (SYSDBA:<REDACTED>).
- Storing backups on the same server as production systems.
Future Plans
The actor mentioned plans to launch a RaaS operation, indicating this attack could be a proof-of-concept or precursor to a more automated campaign.
Key Takeaways:
- Prevention: Ensure timely patching of RCE vulnerabilities and adopt strong access controls, including non-default credentials for critical systems.
- Detection: Implement continuous monitoring to detect and respond to unusual behavior, such as exfiltration and lateral movement.
- Hardening: Separate backup storage systems from production environments and encrypt backup data for added protection.
The TTPs in a Nutshell:
Reconnaissance
T1595.002: Active Scanning
T1590.002: Gather Victim Network Information
Authorization Bypass to RCE
T1190: Exploit Public-Facing Application
Pivoting
T1570: Lateral Tool Transfer
Finding Databases
T1046: Network Service Scanning
Credential Access
Technique ID: T1078.001 – Valid Accounts: Default Accounts
Exfiltrating Databases
T1048.002: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
Encrypting Data
T1486: Data Encrypted for Impact
T1490: Inhibit System Recovery
Deploying Ransom Note
T1491.002: Defacement: Internal Defacement
Disclaimer
This interview is provided for informational purposes only and does not express approval, support or agreement with any actions mentioned in the text. The author of the publication is not related to the activities described in the interview and is not responsible for any consequences of using the information provided.
The interview materials are intended to raise public awareness of modern cyber threats and the methods of cybercriminal groups. The publication of this text does not constitute propaganda of illegal activity and does not encourage violation of laws.
Readers are advised to always observe legal regulations and consult with the appropriate authorities if they have questions about the topics covered in this interview.
Stay Updated with Our Newsletter
You may like to read our interviews with other threat actors associated with the Hellcat ransomware group.
Leave a Reply