An analysis of HellCat and Morpheus ransomware operations has revealed that affiliates associated with the respective cybercrime entities are using identical code for their ransomware payloads.
The findings come from SentinelOne, which analyzed artifacts uploaded to the VirusTotal malware scanning platform by the same submitter towards the end of December 2024.
“These two payload samples are identical except for victim specific data and the attacker contact details,” security researcher Jim Walter said in a new report shared with The Hacker News.
Both HellCat and Morpheus are nascent entrants to the ransomware ecosystem, having emerged in October and December 2024, respectively.
A deeper examination of the Morpheus/HellCat payload, a 64-bit portable executable, has revealed that both samples require a path to be specified as an input argument.
They are both configured to exclude the WindowsSystem32 folder, as well as a hard-coded list of extensions from the encryption process, namely .dll, .sys, .exe, .drv, .com, and .cat, from the encryption process.
“An unusual characteristic of these Morpheus and HellCat payloads is that they do not alter the extension of targeted and encrypted files,” Walter said. “The file contents will be encrypted, but file extensions and other metadata remain intact after processing by the ransomware.”
Furthermore, Morpheus and HellCat samples rely on the Windows Cryptographic API for key generation and file encryption. The encryption key is generated using the BCrypt algorithm.
Barring encrypting the files and dropping identical ransom notes, no other system modifications are made to the affected systems, such as changing the desktop wallpaper or setting up persistence mechanisms.
SentinelOne said the ransom notes for HellCat and Morpheus follow the same template as Underground Team, another ransomware scheme that sprang forth in 2023, although the ransomware payloads themselves are structurally and functionally different.
“HellCat and Morpheus RaaS operations appear to be recruiting common affiliates,” Walter said. “While it is not possible to assess the full extent of interaction between the owners and operators of these services, it appears that a shared codebase or possibly a shared builder application is being leveraged by affiliates tied to both groups.”
The development comes as ransomware continues to thrive, albeit in an increasingly fragmented fashion, despite ongoing attempts by law enforcement agencies to tackle the menace.
“The financially motivated ransomware ecosystem is increasingly characterized by the decentralization of operations, a trend spurred by the disruptions of larger groups,” Trustwave said. “This shift has paved the way for smaller, more agile actors, shaping a fragmented yet resilient landscape.”
Data shared by NCC Group shows that a record 574 ransomware attacks were observed in December 2024 alone, with FunkSec accounting for 103 incidents. Some of the other prevalent ransomware groups were Cl0p (68), Akira (43), and RansomHub (41).
“December is usually a much quieter time for ransomware attacks, but last month saw the highest number of ransomware attacks on record, turning that pattern on its head,” Ian Usher, associate director of Threat Intelligence Operations and Service Innovation at NCC Group, said.
“The rise of new and aggressive actors, like FunkSec, who have been at the forefront of these attacks is alarming and suggests a more turbulent threat landscape heading into 2025.”
