An evaluation of HellCat and Morpheus ransomware operations has revealed that associates related to the respective cybercrime entities are utilizing an identical code for his or her ransomware payloads.
The findings come from SentinelOne, which analyzed artifacts uploaded to the VirusTotal malware scanning platform by the identical submitter in direction of the top of December 2024.
“These two payload samples are an identical apart from sufferer particular information and the attacker contact particulars,” safety researcher Jim Walter mentioned in a brand new report shared with The Hacker Information.
Each HellCat and Morpheus are nascent entrants to the ransomware ecosystem, having emerged in October and December 2024, respectively.
A deeper examination of the Morpheus/HellCat payload, a 64-bit moveable executable, has revealed that each samples require a path to be specified as an enter argument.
They’re each configured to exclude the WindowsSystem32 folder, in addition to a hard-coded record of extensions from the encryption course of, specifically .dll, .sys, .exe, .drv, .com, and .cat, from the encryption course of.
“An uncommon attribute of those Morpheus and HellCat payloads is that they don’t alter the extension of focused and encrypted information,” Walter mentioned. “The file contents will probably be encrypted, however file extensions and different metadata stay intact after processing by the ransomware.”
Moreover, Morpheus and HellCat samples depend on the Home windows Cryptographic API for key technology and file encryption. The encryption secret’s generated utilizing the BCrypt algorithm.
Barring encrypting the information and dropping an identical ransom notes, no different system modifications are made to the affected methods, akin to altering the desktop wallpaper or establishing persistence mechanisms.
SentinelOne mentioned the ransom notes for HellCat and Morpheus observe the identical template as Underground Crew, one other ransomware scheme that sprang forth in 2023, though the ransomware payloads themselves are structurally and functionally totally different.
“HellCat and Morpheus RaaS operations look like recruiting frequent associates,” Walter mentioned. “Whereas it’s not potential to evaluate the complete extent of interplay between the house owners and operators of those providers, it seems that a shared codebase or probably a shared builder software is being leveraged by associates tied to each teams.”
The event comes as ransomware continues to thrive, albeit in an more and more fragmented trend, regardless of ongoing makes an attempt by legislation enforcement businesses to sort out the menace.
“The financially motivated ransomware ecosystem is more and more characterised by the decentralization of operations, a development spurred by the disruptions of bigger teams,” Trustwave mentioned. “This shift has paved the way in which for smaller, extra agile actors, shaping a fragmented but resilient panorama.”
Knowledge shared by NCC Group reveals {that a} file 574 ransomware assaults have been noticed in December 2024 alone, with FunkSec accounting for 103 incidents. A number of the different prevalent ransomware teams have been Cl0p (68), Akira (43), and RansomHub (41).
“December is normally a a lot quieter time for ransomware assaults, however final month noticed the best variety of ransomware assaults on file, turning that sample on its head,” Ian Usher, affiliate director of Menace Intelligence Operations and Service Innovation at NCC Group, mentioned.
“The rise of recent and aggressive actors, like FunkSec, who’ve been on the forefront of those assaults is alarming and suggests a extra turbulent menace panorama heading into 2025.”
