Press ESC to close

Emerging Hellcat Ransomware Group Targets Government Entities and High-Revenue Organizations

Recently, a screenshot surfaced publicly revealing that the Hellcat group has developed its own ransomware, with potential activity expected to emerge in 2025. Curious to learn more, we reached out to Miyako, one of the administrators of the Hellcat ransomware group, for a conversation. Miyako revealed that the ransomware group plans to focus primarily on government entities and high-revenue organizations as their targets.

Hellcat Leak Site

Stay Updated with Our Newsletter

  

Tactics, Techniques, and Procedures (TTPs)

The conversation revealed one of the group’s Tactics, Techniques, and Procedures (TTPs) employed to infiltrate an Indonesian government entity. The initial access was obtained in the firewall through the exploitation of a recently disclosed authentication bypass vulnerability on Palo Alto Networks PAN-OS software tracked as CVE-2024-0012. The compromised server led the attackers to move laterally into the database server. This pivoting technique is common for attackers aiming to access valuable data stored on separate systems.


Further, the attackers discovered a Firebird database system with default credentials.

Username: SYSDBA
Password: [redacted]

Using these credentials, the attacker gained full access to the database files.

Screenshot of Data dump from Firebird database, shared by Miyako

The database server stored backups on the same server, which is a poor security practice.
The attacker exfiltrated approximately 82GB of data, stopping early due to finding the remaining data (backups from 2017 and earlier) as unimportant.

Without access to an automated ransomware locker, the attacker manually encrypted and deleted files after exfiltration.

The following screenshots have been shared by Miyako.

What Led to the Attack

  • The presence of a known RCE vulnerability in the web application.
  • Use of default database credentials (SYSDBA:<REDACTED>).
  • Storing backups on the same server as production systems.

Future Plans

The actor mentioned plans to launch a RaaS operation, indicating this attack could be a proof-of-concept or precursor to a more automated campaign.

Key Takeaways:

  • Prevention: Ensure timely patching of RCE vulnerabilities and adopt strong access controls, including non-default credentials for critical systems.
  • Detection: Implement continuous monitoring to detect and respond to unusual behavior, such as exfiltration and lateral movement.
  • Hardening: Separate backup storage systems from production environments and encrypt backup data for added protection.

The TTPs in a Nutshell:

Reconnaissance

T1595.002: Active Scanning
T1590.002: Gather Victim Network Information

Authorization Bypass to RCE

T1190: Exploit Public-Facing Application

Pivoting

T1570: Lateral Tool Transfer

Finding Databases

T1046: Network Service Scanning

Credential Access

Technique ID: T1078.001 – Valid Accounts: Default Accounts

Exfiltrating Databases

T1048.002: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

Encrypting Data

T1486: Data Encrypted for Impact
T1490: Inhibit System Recovery

Deploying Ransom Note

T1491.002: Defacement: Internal Defacement

Disclaimer

This interview is provided for informational purposes only and does not express approval, support or agreement with any actions mentioned in the text. The author of the publication is not related to the activities described in the interview and is not responsible for any consequences of using the information provided.

The interview materials are intended to raise public awareness of modern cyber threats and the methods of cybercriminal groups. The publication of this text does not constitute propaganda of illegal activity and does not encourage violation of laws.

Readers are advised to always observe legal regulations and consult with the appropriate authorities if they have questions about the topics covered in this interview.


Stay Updated with Our Newsletter

  

You may like to read our interviews with other threat actors associated with the Hellcat ransomware group.

Leave a Reply

Your email address will not be published. Required fields are marked *