An evaluation of HellCat and Morpheus ransomware operations has revealed that associates related to the respective cybercrime entities are utilizing an identical code for his or her ransomware payloads.
The findings come from SentinelOne, which analyzed artifacts uploaded to the VirusTotal malware scanning platform by the identical submitter in the direction of the tip of December 2024.
“These two payload samples are an identical aside from sufferer particular knowledge and the attacker contact particulars,” security researcher Jim Walter mentioned in a brand new report shared with The Hacker Information.
Each HellCat and Morpheus are nascent entrants to the ransomware ecosystem, having emerged in October and December 2024, respectively.
A deeper examination of the Morpheus/HellCat payload, a 64-bit moveable executable, has revealed that each samples require a path to be specified as an enter argument.
They’re each configured to exclude the WindowsSystem32 folder, in addition to a hard-coded checklist of extensions from the encryption course of, specifically .dll, .sys, .exe, .drv, .com, and .cat, from the encryption course of.
“An uncommon attribute of those Morpheus and HellCat payloads is that they don’t alter the extension of focused and encrypted information,” Walter mentioned. “The file contents might be encrypted, however file extensions and different metadata stay intact after processing by the ransomware.”
Moreover, Morpheus and HellCat samples depend on the Home windows Cryptographic API for key technology and file encryption. The encryption key’s generated utilizing the BCrypt algorithm.
Barring encrypting the information and dropping an identical ransom notes, no different system modifications are made to the affected programs, akin to altering the desktop wallpaper or organising persistence mechanisms.
SentinelOne mentioned the ransom notes for HellCat and Morpheus observe the identical template as Underground Group, one other ransomware scheme that sprang forth in 2023, though the ransomware payloads themselves are structurally and functionally completely different.
“HellCat and Morpheus RaaS operations seem like recruiting widespread associates,” Walter mentioned. “Whereas it isn’t attainable to evaluate the total extent of interplay between the house owners and operators of those providers, it seems that a shared codebase or presumably a shared builder utility is being leveraged by associates tied to each teams.”
The event comes as ransomware continues to thrive, albeit in an more and more fragmented style, regardless of ongoing makes an attempt by regulation enforcement companies to deal with the menace.
“The financially motivated ransomware ecosystem is more and more characterised by the decentralization of operations, a development spurred by the disruptions of bigger teams,” Trustwave mentioned. “This shift has paved the best way for smaller, extra agile actors, shaping a fragmented but resilient panorama.”
Data shared by NCC Group reveals {that a} document 574 ransomware assaults had been noticed in December 2024 alone, with FunkSec accounting for 103 incidents. Among the different prevalent ransomware teams had been Cl0p (68), Akira (43), and RansomHub (41).
“December is normally a a lot quieter time for ransomware assaults, however final month noticed the best variety of ransomware assaults on document, turning that sample on its head,” Ian Usher, affiliate director of Menace Intelligence Operations and Service Innovation at NCC Group, mentioned.
“The rise of recent and aggressive actors, like FunkSec, who’ve been on the forefront of those assaults is alarming and suggests a extra turbulent menace panorama heading into 2025.”
