Jan 23, 2025Ravie LakshmananThreat Intelligence / Data Breach
According to an analysis of the ransom operations carried out by HellCat and Morpheus, affiliates of the two crime organizations use the same code to create their ransomware payloads.
SentinelOne analyzed artifacts submitted to the VirusTotal malware monitoring program by the same submitter toward the end of December 2024 in response to the findings.
In a new statement shared with The Hacker News, security researcher Jim Walter stated that” these two load samples are identical except for the target specific information and the intruder call information.”
Both and are emerging newcomers to the ransom habitat, having emerged in October and December 2024, both.
A deeper assessment of the Morpheus/HellCat load, a 64-bit convenient file, has revealed that both samples require a course to be specified as an input discussion.
They are both configured to exclude the WindowsSystem32 folder, as well as a hard-coded list of extensions from the encryption process, namely .dll, .sys, .exe ,.drv ,.com, and.cat, from the encryption process.
” These Morpheus and HellCat payloads do not affect the expansion of precise and secured files,” Walter said.” An strange characteristic of these Morpheus and HellCat payloads is that they do not affect the extension of those files,” Walter said. The ransomware states that the file contents will be encrypted, but file extensions and other metadata remain intact following its processing.
Furthermore, Morpheus and HellCat samples rely on the Windows Cryptographic API for key generation and file encryption. The algorithm is used to generate the encryption key.
No other system modifications are made to the affected systems, such as changing the desktop wallpaper or setting up persistence mechanisms, despite the fact that the files are encrypted and identical ransom notes are dropped.
Despite the differences in the ransomware payloads themselves, SentinelOne and security researcher Rakesh Krishnan that the ransom notes for HellCat and Morpheus are identical to those for , another ransomware scheme from 2023.
” HellCat and Morpheus RaaS operations appear to be recruiting common affiliates”, Walter said. It appears that a shared codebase or possibly a shared builder application is being leveraged by affiliates tied to both groups, despite it being impossible to fully assess the full extent of interaction between the owners and operators of these services.
Despite ongoing efforts by law enforcement to combat the menace, ransomware continues to thrive, though in an increasingly fragmented manner.
According to Trustwave,” the decentralization of operations, a trend sparked by the disruptions of larger groups, is increasingly characterized by the financially motivated ransomware ecosystem.” ” This shift has paved the way for smaller, more agile actors, shaping a fragmented yet resilient landscape”.
Data shared by NCC Group that a record 574 ransomware attacks were observed in December 2024 alone, with accounting for 103 incidents. Some of the other prevalent ransomware groups were Cl0p ( 68 ), Akira ( 43 ), and RansomHub ( 41 ).
According to Ian Usher, associate director of Threat Intelligence Operations and Service Innovation at NCC Group,” December is typically a much quieter time for ransomware attacks, but last month saw the highest number of ransomware attacks on record.
The rise of new and aggressive actors like FunkSec, who have been leading these attacks, is alarming and suggests a more tumultuous threat landscape in 2025.
Found this article interesting? To read more exclusive content we post, follow us on and Twitter.