3 min read

Ransomware group demands baguettes from Schneider Electric

Ransomware group demands baguettes from Schneider Electric

Schneider Electric is investigating a ransomware attack claimed by the Hellcat group. The group is demanding $125,000 in baguettes and threatening to release sensitive data unless their demand is met.

 

What happened 

Schneider Electric, the French multinational specializing in energy management and automation, is investigating a security breach after a ransomware group, Hellcat, claimed to have infiltrated its systems and stolen more than 40 GB of compressed data. The attackers have demanded $125,000—not in cash or cryptocurrency but in baguettes.

While Schneider Electric has yet to confirm the exact details of the intrusion, including whether the ransomware group’s unusual payment demand is genuine, Hellcat claims to have accessed Schneider’s infrastructure via an Atlassian Jira system, through which they reportedly acquired sensitive customer and operational data.

 

Going deeper 

Hellcat, an emerging ransomware gang, made waves with their demand for baguettes, a request that has stirred both curiosity and concern. If true, the demand may be intended to embarrass the newly appointed CEO, Olivier Blum, who assumed his role the same day that Hellcat added Schneider Electric to their site of “shame.” Hellcat claims to have extracted over 400,000 rows of user data, including details related to projects, issues, and plugins, putting Schneider’s proprietary information at significant risk of exposure.

This latest incident marks the third cyberattack Schneider Electric has suffered in less than two years. The French energy management giant previously dealt with attacks from the CL0P ransomware group in June 2023, tied to the MOVEit data breaches, and a separate breach involving Cactus ransomware earlier that year.

 

What was said

According to The Register, a Schneider Electric spokesperson acknowledged the incident, stating, “Schneider Electric is investigating a cybersecurity incident involving unauthorized access to one of our internal project execution tracking platforms, which is hosted within an isolated environment. Our Global Incident Response team has been immediately mobilized to respond to the incident. Schneider Electric's products and services remain unaffected.” The company declined to answer more specific questions, including whether Hellcat would accept an alternative payment form, such as cryptocurrency, rather than bread.

On an X (Twitter) post, Hellcat admitted to the attack and warned of consequences if Schneider doesn’t comply, writing, “Failure to meet this demand will result in the dissemination of the compromised information.” They even indicated they might lower the ransom if “Olivier” (likely a reference to CEO Olivier Blum) decides to comply quickly.

 

In the know

Hellcat is a ransomware group that has recently emerged, making headlines for its sophisticated and highly targeted cyberattacks. Known for employing a double-extortion tactic, Hellcat not only encrypts victims' files but also threatens to leak sensitive data if the ransom isn’t paid, increasing the pressure on organizations to comply. The group typically targets large enterprises and critical infrastructure, including healthcare, financial institutions, and government sectors. Leveraging phishing schemes and exploiting unpatched vulnerabilities, Hellcat gains initial access, then uses custom-developed ransomware to lock systems and exfiltrate valuable data. They use advanced obfuscation techniques to evade detection, making them a formidable adversary in the cybersecurity landscape. Experts warn Hellcat’s aggressive methods and technical capabilities signify an ongoing evolution in ransomware tactics, posing a significant threat to unprepared organizations.

 

Why it matters

Ransomware groups are growing in frequency and boldness, targeting critical infrastructure and high-profile companies. The incident emphasizes the peculiar and provocative tactics that ransomware gangs are adopting, perhaps aimed at amplifying media attention or putting further psychological pressure on their victims. The reference to “baguettes” suggests the attackers’ willingness to employ unusual demands to embarrass Schneider’s leadership and maximize public exposure.

See also: HIPAA Compliant Email: The Definitive Guide

 

FAQs

What is ransomware?

Ransomware is a malicious software (malware) that encrypts files on a target device, rendering them inaccessible. Attackers then demand a ransom, often in cryptocurrency, for the decryption key to restore access to the data. If the ransom isn’t paid, they may threaten to delete or release the data publicly.

 

Who are common targets for ransomware attacks?

Cybercriminals often target organizations with valuable or sensitive data, such as healthcare providers, government agencies, educational institutions, financial services, and utility companies. However, individuals can also be victims of ransomware.

 

Is paying the ransom a recommended solution?

Paying the ransom is generally not recommended. There’s no guarantee that the attackers will actually provide a decryption key. In many cases, payment can encourage further criminal activity. Many cybersecurity experts and law enforcement agencies advocate against payment and instead suggest focusing on data recovery from backups if possible.

Related: To pay or not to pay: Cyberattack ransoms in healthcare