In the increasingly fragmented world of cybercrime, distinguishing between reality, propaganda, and misappropriations has become as crucial as the technical analysis of attacks themselves. SuspectFile.com has recently conducted an investigation into two well-known figures in the underground scene: “Rey” and “grep”, both affiliated with the ransomware group HellCat, according to a group representative.
The investigation focused on two distinct cyberattacks: one targeting the company “Orange”, publicly claimed by Rey, and the other against “HighWire Press”, whose data breach was initially disclosed by grep on BreachForums, later echoed by the controversial group Babuk2. Both incidents raised concerns and sparked cross-accusations, especially due to the apparent overlap with other claims, such as those made by Babuk2. To clarify the situation, SuspectFile.com directly contacted HellCat via the encrypted platform Tox, posing a series of 15 questions, some aimed at understanding the internal workings of the group, its affiliations, operational methods, and victim claim management dynamics.
While technical questions went unanswered, HellCat provided detailed statements regarding the two attacks in question. The group confirmed that both Rey and grep are indeed members of HellCat. Specifically, it was revealed that grep was also responsible for the attack on Schneider Electric. Concerning the HighWire Press incident, HellCat justified its claim by stating that additional systems had been compromised following the initial data leak, leading to a larger volume of exfiltrated data than what was initially released by grep.
Another significant element that emerged during the conversation was Babuk2’s publication of a portion of the HighWire Press database. This raised doubts about the possibility that the data had been sold to third parties, fueling suspicions of a parallel market for stolen data. In response, HellCat firmly denied any data transaction with Babuk2, stating that the only recipient of the full database dump was cybersecurity researcher Troy Hunt, founder of Have I Been Pwned. The group also ridiculed the idea that Babuk2 could have obtained the files from Hunt, asserting that the rival group’s post contained nothing more than a “tree list” — a simple file directory structure — already present in grep’s original publication.
This case highlighted a concerning phenomenon: the growing confusion of sources, where secondary actors, manipulators, and fantasists contribute to distorting the true dynamics of cyberattacks. Overlapping claims and opportunistic actors, who republish others’ attacks to boost their visibility, pose significant risks to both victims and researchers monitoring the ransomware ecosystem.
The investigation also clarified another crucial aspect: HellCat’s operational structure appears to be less fragmented than initially assumed. The group’s acknowledgment of Rey and grep as direct members confirms a significant degree of centralization, with affiliates acting under internal coordination, even though they occasionally maintain their own presence on underground forums. HellCat strongly defended the authorship of the attacks, avoiding any ambiguity in credit distribution among its members.
However, the group chose to remain silent regarding its intrusion methods, exfiltration techniques, and tools used to obfuscate operations. None of the questions relating to exploited CVEs, phishing strategies, or tunneling methods received a response.
This case underscores the ongoing tension that ransomware groups face between maintaining a strong reputation — essential for securing payments, intimidating victims, and attracting new affiliates — and protecting the opacity of their operations. In this delicate balance, public claims become strategic tools for asserting control and visibility. Despite maintaining a low profile, it is clear that HellCat understands the importance of managing information and reputation, two key levers in the digital extortion economy.
The interaction with HellCat, while not revealing technical secrets, offered valuable insight into the group’s internal structure and communication strategy. In an increasingly confused landscape, where real victims often bear the cost of manipulations and misappropriations, the clarity of sources and transparency are essential for an accurate understanding and to mitigate the risks associated with ransomware attacks.
SuspectFile.com – HellCat recently published the victim “HighWire Press,” even though it had already been exposed earlier by the user “grep” on BreachForums in February and by the Babuk2 group in March. What is your justification for this republishing, considering that other entities had already addressed the incident?
HellCat – Grep is a HellCat operator. Although the purpose of this question is not entirely clear, it is important to note that the breach has since expanded to compromise additional HighWire Press systems, providing us with far more data than the initial database that Grep had offered for sale.
SuspectFile.com – What advanced infiltration techniques do you typically use to access the victims’ networks? Do you exploit known vulnerabilities (CVEs), zero-day exploits, or rely on social engineering attacks like phishing for initial access?
HellCat – HellCat did not respond
SuspectFile.com – Babuk2 has been accused of claiming attacks that were already documented by other groups. Has HellCat ever claimed attacks based on data compromised by other actors? How do you verify the authenticity of the data you publish to avoid accusations of theft or plagiarism?
HellCat – Am I supposed to prove my attacks? If so, just wait for the deadline to end and download the data—nothing more. We already have a profile.
SuspectFile.com – What mechanisms do you implement to ensure that the ransom payment always leads to the delivery of the decryption key? What measures do you take to protect victims from potential fraud during the ransom transaction?
HellCat – HellCat did not respond
SuspectFile.com – What data exfiltration techniques do you use when accessing victims’ networks? Do you rely on methods like DNS tunneling, VPN tunneling, or exfiltration through lesser-known channels to avoid detection?
HellCat – HellCat did not respond
SuspectFile.com – Has HellCat ever had an operational relationship with the user “Rey” on BreachForums? Rey has claimed to be the author of the attack on “Orange.” Is Rey an independent actor, or an affiliate of HellCat? What is your process for interacting with other cybercriminals on platforms like BreachForums?
HellCat – By looking at past attacks, you can easily see that yes, Rey is a HellCat operator and developer.
SuspectFile.com – When planning an attack, how do you assess the victim’s IT infrastructure to choose the best exfiltration strategy? Do you focus on specific vulnerabilities, such as open RDP, compromised VPNs, or other misconfigurations, to exploit them during the attack?
HellCat – HellCat did not respond
SuspectFile.com – What solutions do you use to protect internal group information? Do you implement advanced systems to keep operational details confidential, such as encryption tools for sensitive data or security methodologies for internal communications?
HellCat – HellCat did not respond
SuspectFile.com – Has HellCat had contact with “grep” on BreachForums? “grep” has claimed to be the author of the attack on “HighWire Press.” Is “grep” an affiliate of HellCat, or does he operate independently? How do you manage relationships with users who might divulge details about your operations?
HellCat – As I said, “grep” is a HellCat operator. You can confirm that from past breaches, for example, the Schneider Electric breach.
SuspectFile.com – How do you adapt your operations in situations where law enforcement attention is high? What specific techniques do you use to minimize the risk of being identified, such as utilizing proxy servers or adopting new methods to disguise your presence within the targeted systems?
HellCat – I don’t care about law enforcement.
SuspectFile.com – How do you assess the global evolution of cybercrime regulations and international surveillance? How do these affect your operations, and what preventative measures do you take to avoid identification or arrest during an attack?
HellCat – HellCat did not respond
SuspectFile.com – HellCat is known for highly targeted and precise operations. What is the decision-making process behind selecting victims? Do you prefer to target large companies with significant financial resources, or do you select more vulnerable targets with valuable data?
HellCat – HellCat did not respond
SuspectFile.com – What criteria do you use to maximize the profit from a ransomware attack? Beyond the victim’s ability to pay, do you consider factors such as the value of the exfiltrated data or the likelihood of securing a larger ransom?
HellCat – Like any ransomware group, we consider the industry, revenue, and type of data above all else.
SuspectFile.com – What security measures do you implement to ensure the secrecy of your operations during data exfiltration and the attack? Do you use specific methods to hide your activity, such as encrypting communication channels or utilizing compromised infrastructure to avoid traceability?
HellCat – HellCat did not respond
SuspectFile.com – What factors do you consider when selecting your targets for ransomware attacks? Are there specific industries, regions, or types of organizations that you prioritize over others?
HellCat – HellCat did not respond
===================================
Conversation on Tox with a HellCat member
SuspectFile.com – Do you think it is possible that ‘grep’, in an attempt to further monetize the data, may have sold the ‘HighWire Press’ files to Babuk as well?
HellCat – Do you actually believe that “Babuk2” are the real “Babuk” ransomware group?
SuspectFile.com – Of course not, but this does not exclude that “Babuk-Bjorka” may have the possibility of purchasing data from operators.
HellCat – He can’t afford the database even if he wanted to.
SuspectFile.com – Is it due to internal HellCat rules or for some other reason?
HellCat – The database (and not any other internal documents or files) was only sent to Troy Hunt. It was not sold to anyone else after that
SuspectFile.com – And you categorically exclude that Troy Hunt could have made any other use of it.
HellCat – Yes, I can categorically exclude that possibility. The database was only sent to Troy Hunt. Also, If you think Troy Hunt sent the database to Babuk, then I would say Babuk seems very naive to think that Troy Hunt would share a big HellCat breach with them. Also, the post that Babuk made only contained the tree list, which was already disclosed in Grep’s post.
SuspectFile.com – Our questions were for confirmation, we absolutely do not believe that ‘Babuk2’ is what it claims. After our interview with him, we published the article with all its contradictions and lies. But this step with you had to be done.