A comprehensive analysis of the Morpheus and HellCat ransomware operations has uncovered striking similarities in their ransomware payloads, pointing to the use of a shared codebase.
The findings, released by cybersecurity firm SentinelOne, stem from artifacts uploaded to VirusTotal in late December 2024 by the same submitter.
"These two payload samples are virtually identical, differing only in victim-specific data and attacker contact details," noted SentinelOne security researcher Jim Walter in a report shared with The Hacker News.
Ransomware with Common Roots
Both Morpheus and HellCat represent recent additions to the ransomware landscape, debuting in October and December 2024, respectively. Upon deeper analysis, researchers identified key similarities between their payloads:
- Architecture: Both samples are 64-bit portable executables requiring a specified path as an input argument.
- Encryption Behavior: The ransomware excludes the
\Windows\System32directory and specific file extensions (.dll, .sys, .exe, .drv, .com, and .cat) from encryption. - File Metadata: Unlike typical ransomware, neither alters the file extensions or metadata of encrypted files.
- Encryption Mechanism: They leverage the Windows Cryptographic API and the BCrypt algorithm for key generation and file encryption.
"An unusual trait of Morpheus and HellCat is that they encrypt file contents but leave file extensions intact," added Walter.
Beyond encrypting files and leaving behind ransom notes, the payloads make no additional modifications, such as altering desktop wallpapers or establishing persistence mechanisms.
Ransom Notes and Underground Links
Both ransomware strains use ransom notes that closely mimic those of the Underground Team ransomware, active since 2023. However, the payloads themselves are functionally distinct from Underground Team’s operations.
The report also indicates that affiliates of Morpheus and HellCat appear to be leveraging a shared codebase or builder application, signaling collaboration or resource-sharing between the two groups.
"HellCat and Morpheus RaaS operations seem to be recruiting the same affiliates," Walter explained.
Ransomware Ecosystem: Decentralized and Resilient
The discovery highlights the fragmentation and evolution of the ransomware ecosystem. Despite relentless law enforcement efforts, ransomware attacks continue to thrive, with smaller, decentralized groups filling the void left by disrupted major players.
Record-Breaking Ransomware Activity in December 2024
According to NCC Group, December 2024 witnessed an unprecedented 574 ransomware attacks, with notable contributors including:
- FunkSec: 103 incidents
- Cl0p: 68 incidents
- Akira: 43 incidents
- RansomHub: 41 incidents"December is traditionally quieter for ransomware activity, but last month saw the highest number of attacks ever recorded," said Ian Usher, Associate Director of Threat Intelligence Operations at NCC Group.
