Recent investigations into the operations of HellCat and Morpheus ransomware have uncovered significant overlaps in their coding, suggesting a collaboration or shared framework among these cybercriminal entities. According to analysis conducted by SentinelOne, artifacts submitted to the VirusTotal scanning platform in late December 2024 indicate that the ransomware payloads used by both groups are virtually identical, differing only in their targeted victims’ data and contact information for the attackers.
In a detailed report from security researcher Jim Walter, it is noted that the two payload samples employ a common 64-bit executable format, requiring specific file paths as input arguments during execution. Both variants have been set to omit the \Windows\System32 directory, as well as a predefined set of file extensions—including .dll, .sys, .exe, .drv, .com, and .cat—from their encryption routines.
A distinctive feature of the Morpheus and HellCat ransomware is their method of file encryption. Unlike many ransomware variants that alter file extensions upon encryption, both payloads retain the original extensions of the files while encrypting their contents. This behavior presents a unique challenge for victims, as the files remain seemingly accessible, even though they are rendered unusable.
Both Morpheus and HellCat leverage the Windows Cryptographic API for file encryption, utilizing the BCrypt algorithm to generate encryption keys. The ransomware’s design is notably minimalistic; aside from encrypting files and delivering nearly identical ransom notes, there are no other significant modifications to the compromised systems, such as changing desktop backgrounds or establishing persistent malware installations.
Noteworthy is the resemblance of the ransom notes issued by HellCat and Morpheus to those previously employed by the Underground Team, another ransomware group from 2023, despite the intrinsic differences in their payloads. This connection suggests a potential ecosystem where ransomware affiliates may be interrelated or sharing resources.
The emergence of HellCat and Morpheus, both relatively new players in the ransomware arena, draws attention to an evolving threat landscape marked by increased decentralization. As the ransomware ecosystem continues to fragment due to law enforcement efforts targeting larger organizations, smaller and more agile affiliates are emerging, further complicating the cybersecurity landscape.
Recent statistics from NCC Group reveal that December 2024 was particularly severe, with a record 574 ransomware incidents recorded, an anomaly given that this time of year usually sees a decline in such attacks. The analysis cites FunkSec as the most active group, responsible for 103 attacks, followed by notable groups such as Cl0p and Akira.
The mounting number of incidents indicates a growing and increasingly aggressive threat, as highlighted by Ian Usher from NCC Group, who warned of a turbulent cybersecurity environment heading into 2025. The vulnerabilities exploited by these ransomware groups likely include MITRE ATT&CK tactics such as initial access and file encryption sensitive data theft, underscoring the need for robust security measures and awareness among businesses.
For executives and business leaders, understanding these emerging threats is crucial in strengthening defenses against potential ransomware incidents. The continued rise of alliances among criminal factions places a high premium on vigilance and preparedness within the cybersecurity domain.
