An evaluation of HellCat and Morpheus ransomware operations has revealed that associates related to the respective cybercrime entities are utilizing similar code for his or her ransomware payloads.
The findings come from SentinelOne, which analyzed artifacts uploaded to the VirusTotal malware scanning platform by the identical submitter in the direction of the top of December 2024.
“These two payload samples are similar apart from sufferer particular information and the attacker contact particulars,” safety researcher Jim Walter mentioned in a brand new report shared with The Hacker Information.
Each HellCat and Morpheus are nascent entrants to the ransomware ecosystem, having emerged in October and December 2024, respectively.
A deeper examination of the Morpheus/HellCat payload, a 64-bit transportable executable, has revealed that each samples require a path to be specified as an enter argument.
They’re each configured to exclude the WindowsSystem32 folder, in addition to a hard-coded listing of extensions from the encryption course of, particularly .dll, .sys, .exe, .drv, .com, and .cat, from the encryption course of.
“An uncommon attribute of those Morpheus and HellCat payloads is that they don’t alter the extension of focused and encrypted recordsdata,” Walter mentioned. “The file contents can be encrypted, however file extensions and different metadata stay intact after processing by the ransomware.”
Moreover, Morpheus and HellCat samples depend on the Home windows Cryptographic API for key technology and file encryption. The encryption key’s generated utilizing the BCrypt algorithm.
Barring encrypting the recordsdata and dropping similar ransom notes, no different system modifications are made to the affected programs, corresponding to altering the desktop wallpaper or organising persistence mechanisms.
SentinelOne mentioned the ransom notes for HellCat and Morpheus observe the identical template as Underground Group, one other ransomware scheme that sprang forth in 2023, though the ransomware payloads themselves are structurally and functionally totally different.
“HellCat and Morpheus RaaS operations seem like recruiting frequent associates,” Walter mentioned. “Whereas it’s not attainable to evaluate the total extent of interplay between the homeowners and operators of those companies, it seems that a shared codebase or presumably a shared builder software is being leveraged by associates tied to each teams.”
The event comes as ransomware continues to thrive, albeit in an more and more fragmented style, regardless of ongoing makes an attempt by legislation enforcement businesses to deal with the menace.
“The financially motivated ransomware ecosystem is more and more characterised by the decentralization of operations, a development spurred by the disruptions of bigger teams,” Trustwave mentioned. “This shift has paved the way in which for smaller, extra agile actors, shaping a fragmented but resilient panorama.”
Knowledge shared by NCC Group reveals {that a} document 574 ransomware assaults have been noticed in December 2024 alone, with FunkSec accounting for 103 incidents. Among the different prevalent ransomware teams have been Cl0p (68), Akira (43), and RansomHub (41).
“December is often a a lot quieter time for ransomware assaults, however final month noticed the best variety of ransomware assaults on document, turning that sample on its head,” Ian Usher, affiliate director of Risk Intelligence Operations and Service Innovation at NCC Group, mentioned.
“The rise of latest and aggressive actors, like FunkSec, who’ve been on the forefront of those assaults is alarming and suggests a extra turbulent menace panorama heading into 2025.”
