Jan 23, 2025Ravie LakshmananThreat Intelligence / Data Breach
According to an analysis of the ransom operations carried out by HellCat and Morpheus, affiliates of the two crime organizations use the same code to create their ransomware payloads.
SentinelOne, which analyzed objects submitted to the same submitter toward the end of December 2024, has the studies.
In a new statement shared with The Hacker News, security researcher Jim Walter stated that” these two load samples are identical except for the target specific information and the intruder call information.”
Both and are emerging newcomers to the ransom habitat, having emerged in October and December 2024, both.
A deeper assessment of the Morpheus/HellCat load, a 64-bit convenient file, has revealed that both samples require a course to be specified as an input discussion.
They are both configured to exclude the WindowsSystem32 folder, as well as a hard-coded list of extensions from the encryption process, namely .dll, .sys, .exe ,.drv ,.com, and.cat, from the encryption process.
These Morpheus and HellCat payloads don’t change the extension of qualified and encrypted files, according to Walter, who noted an unusual quality of them. The report contents may be encrypted, but document extensions and other metadata remain alive after the ransomware processes them.
However, Morpheus and HellCat examples rely on the Windows Cryptographic API for important era and folder encryption. The algorithm is used to generate the encryption key.
No other system modifications are made to the affected systems, such as changing the desktop wallpaper or setting up persistence mechanisms, despite the fact that the files are encrypted and identical ransom notes are dropped.
Despite the differences in the ransomware payloads themselves, SentinelOne and security researcher Rakesh Krishnan that the ransom notes for and Morpheus are the same as those for another ransomware scheme from 2023.
” HellCat and Morpheus RaaS operations appear to be recruiting common affiliates”, Walter said. It appears that affiliates affiliated with both groups are using a shared codebase or possibly a shared builder application, despite the difficulty of determining the full extent of interaction between the owners and operators of these services.
Despite ongoing efforts by law enforcement agencies to combat the menace, ransomware continues to thrive, though in an increasingly fragmented manner.
The decentralization of operations, a trend fueled by the disruptions of larger groups, is “increasingly characterized by the financially motivated ransomware ecosystem,” according to Trustwave. ” This shift has paved the way for smaller, more agile actors, shaping a fragmented yet resilient landscape”.
Data shared by NCC Group that a record 574 ransomware attacks were observed in December 2024 alone, with accounting for 103 incidents. Some of the other prevalent ransomware groups were Cl0p ( 68 ), Akira ( 43 ), and RansomHub ( 41 ).
According to Ian Usher, associate director of Threat Intelligence Operations and Service Innovation at NCC Group,” December is typically a much quieter time for ransomware attacks, but last month saw the highest number of ransomware attacks on record.
The rise of new and aggressive actors like FunkSec, who have been leading these attacks, is alarming and suggests a more tumultuous threat landscape in 2025.
Found this article interesting? Follow us on and Twitter to access more exclusive content.