Hellcat Ransomware

Summary

In October 2024, researchers identified a new ransomware group, "Hellcat", which employs double extortion tactics by encrypting data and threatening to release it unless a ransom is paid. The Hellcat ransomware group quickly captured widespread attention by targeting prominent organizations, including government bodies, educational institutions, and large corporations. Known for infiltrating sensitive systems, Hellcat exfiltrates vast amounts of critical data and leverages this by threatening public exposure unless ransom demands are fulfilled. In line with typical ransomware tactics, they often release a portion of the stolen data on the dark web to attract attention, increase pressure on their victims, and boost their group's visibility.

Technical Detail

Upon execution, the ransomware extracts its configuration settings from the Data section of the binary. The configuration includes several parameters, such as a ransom note and other settings that define the ransomware's behavior during execution. The configuration contains the following parameters.

After extracting the configuration, the ransomware drops a .bat file named "1.bat" in the “C:\ProgramData directory”, which is used to stop the services listed in the configuration file. The image below shows the content of the BAT file and the names of the services to be stopped

Furthermore, the ransomware also stops additional services related to backup, security, and database management tools, as specified in the configuration strings.

Before initiating encryption, the ransomware retrieves a list of files and file extensions to be excluded from the encryption process from the configuration. The image below displays the file extensions that are excluded from encryption.

It also retrieves the following list of directories from the configuration, which are excluded from the encryption process.

Finally, the Hellcat ransomware proceeds with encrypting all identified files on the victim's system. Once encryption is complete, the extension ".FGqogsxF" is added to each encrypted file, as shown below.

Then the ransomware creates a ransom note named "Readme.FGqogsxF.txt”.

The note provides instructions on how to contact the attackers to pay the ransom and warns that if the ransom is not paid, the victim’s data may be published on a leak site.

Additionally, the ransomware deletes the system's Shadow Copies, as shown in the figure below, effectively blocking any file recovery attempts.

Conclusion

The emergence of new ransomware groups, such as Hellcat, highlights a growing trend in cybercrime where threat actors not only encrypt data but also leverage leak sites to increase pressure on victims. By exfiltrating sensitive information and threatening its public release unless a ransom is paid, these groups intensify the financial and reputational risks for organizations.