In a striking revelation from an analytical report by SentinelOne, a disturbing trend has emerged in the cybersecurity realm, highlighting the operations of the HellCat and Morpheus ransomware groups. These affiliates appear to be utilizing nearly identical code for their ransomware payloads, showcasing a potentially alarming level of collaboration in the cybercrime landscape.
The findings stem from a detailed examination of malware samples uploaded to the VirusTotal platform at the close of December 2024. According to SentinelOne, security researcher Jim Walter emphasized that “these two payload samples are identical except for victim-specific data and the attacker contact details,” marking a pivotal point in how ransomware operations are evolving.
HellCat and Morpheus are relatively new players in the ransomware landscape, having appeared in October and December of 2024, respectively. Their infancy doesn’t seem to deter them from leveraging advanced techniques commonly associated with larger, more established cybercrime organizations.
A closer inspection of the Morpheus/HellCat payload reveals essential technical characteristics: both samples are 64-bit portable executable files requiring a specified input path. Interestingly, they are designed to exclude the Windows System32 folder and a specific set of file extensions (.dll, .sys, .exe, .drv, .com, .cat) from the encryption process. This clever tactic minimizes the risk of self-damage and evading detection, showcasing a sophisticated understanding of how operating systems function.
Notably, one of the unusual characteristics of these payloads is their approach to encryption. Unlike many ransomware variants that alter file extensions post-encryption, both Morpheus and HellCat maintain the original file extensions. As Walter aptly noted, “the file contents will be encrypted, but file extensions and other metadata remain intact.” This could prove disorienting for victims who may not realize their files have been compromised until it’s too late.
In terms of encryption methodology, both groups utilize the Windows Cryptographic API, employing the BCrypt algorithm for key generation and file encryption. This choice indicates a level of sophistication in ensuring that encrypted data remains secure, making recovery efforts exponentially challenging for victims.
While encrypting files and placing identical ransom notes aligns with traditional ransomware tactics, it’s noteworthy that no additional intrusive modifications occur on the infected systems, such as altering desktop backgrounds or creating persistence mechanisms. This restraint could suggest a more calculated approach, making it less conspicuous until the ransom demand is presented.
Walter also pointed out a striking connection concerning the ransom notes used by HellCat and Morpheus; they are identical to those employed by the Underground Team, a ransomware group that emerged in 2023. It’s evident that, despite variances in payload techniques and strategies, there exists a shared repository of tactics and methods among these cybercriminals.
This burgeoning collaboration signals a significant shift in the ransomware landscape, with affiliates increasingly integrating into a decentralized system, as suggested by Trustwave’s insights into the ransomware ecosystem. “The financially motivated ransomware ecosystem is increasingly characterized by the decentralization of operations,” they noted. This fragmentation grants smaller groups more autonomy while simultaneously complicating detection and mitigation efforts.
Data from the NCC Group provides further insight into the evolving threat landscape, revealing a staggering 574 ransomware attacks recorded in December 2024 alone. FunkSec was responsible for 103 of these incidents, outpacing other notable groups like Cl0p (68), Akira (43), and RansomHub (41). This sharp increase in activity reflects a departure from the typically quieter end-of-year period, with Ian Usher from NCC Group asserting that the rise of aggressive actors like FunkSec indicates a troubling shift heading into 2025.