The notorious HellCat ransomware group has released a wave of sophisticated attacks targeting Jira project management systems across major corporations. This relatively new ransomware-as-a-service operation emerged in mid-2024 but has already claimed impressive victims. Schneider Electric, Telefónica, Orange Group – the list reads like a who’s who of corporate giants. Not exactly small fish.
HellCat’s method is surprisingly simple. They exploit compromised Jira credentials harvested from infected employee devices. Some of these credentials have been floating around since 2021. Seriously. Years-old passwords still working – companies might want to rethink their password policies.
The group’s tactics go beyond simple data theft. After stealing sensitive information like source code and customer data, they implement a double extortion approach. Pay up or watch your dirty laundry get aired to the world. Their hauls are significant: 40GB from Schneider Electric, 700 internal documents from Jaguar Land Rover, and 6.5GB of corporate data from Orange Group.
What makes HellCat unique is their psychological warfare. They’ve made bizarre ransom demands like “$125,000 in baguettes” from Schneider Electric. They publicly taunt executives on social media and strategically leak data in stages to maximize pressure. It’s ransomware with a side of humiliation.
The attack chain typically begins with infostealer malware like Lumma, distributed through phishing or malicious downloads. Once credentials are captured, HellCat accesses Jira, exfiltrates data, and moves laterally through networks to escalate privileges. Vulnerability scanners like Nessus and Qualys could have identified these security gaps before exploitation occurred. Their recent attack on Schneider Electric resulted in over 400,000 rows of user details being exposed on the dark web.
Tanzania’s College of Business Education fell victim too, with 500,000 records compromised. The education sector joins government and energy as prime targets.
Companies aren’t helpless. Multi-factor authentication, regular credential rotation, and network segmentation could stop these attacks. The hackers recently claimed to have stolen approximately 44GB of data from Ascom, adding another telecommunications giant to their list of victims. But until organizations take Jira security seriously, HellCat will keep feasting on corporate data. And they’re not likely to run out of targets anytime soon.
