The cybersecurity panorama witnessed a surge in ransomware exercise in the course of the latter half of 2024 and into early 2025, with the emergence of operations like HellCat and Morpheus.
Alongside their rise, notable teams akin to FunkSec, Nitrogen, and Termite gained traction, whereas established actors Cl0p and LockBit launched new variations of their ransomware, additional amplifying the menace.
Amongst these, HellCat and Morpheus, each working underneath the Ransomware-as-a-Service (RaaS) mannequin, have caught vital consideration for his or her growing sophistication, focused assaults, and operational similarities.
Examine Actual-World Malicious Hyperlinks & Phishing Assaults With Menace Intelligence Lookup - Attempt for Free
HellCat’s Aggressive Growth
Launched in mid-2024, HellCat has positioned itself as a high-profile actor inside the RaaS area.
Its management is reportedly comprised of outstanding members from the BreachForums group, together with people underneath pseudonyms akin to Rey, Pryx, Grep, and IntelBroker.
The group has focused high-value entities, focusing significantly on authorities organizations and “massive sport” victims.
HellCat’s operators have leveraged media visibility and novel ransom calls for to solidify their status within the cybercrime ecosystem.
Morpheus, which unveiled its information leaks website in December 2024, has demonstrated extra restrained branding efforts in comparison with HellCat.
Tracing its origins again to September 2024, the operation features as a semi-private RaaS, concentrating on industries like prescription drugs and manufacturing.
Latest assaults point out a concentrate on digital ESXi environments, with ransom calls for reaching as much as 32 BTC (roughly $3 million USD).
Regardless of its decrease profile, Morpheus associates stay extremely lively, significantly in concentrating on organizations inside Italy.
Proof of Code Sharing
A big discovering emerged in late December 2024, when researchers found two ransomware samples uploaded to VirusTotal on December 22 and December 30 that shared practically an identical code.
The payloads, tied to each HellCat and Morpheus campaigns, have been traced again to the identical affiliate primarily based on telemetry information.
These payloads, 64-bit PE recordsdata round 18KB in dimension, use a hard-coded record of file extensions to exclude and bypass encryption for vital system folders like Home windows/System32.
Whereas the ransomware encrypts the file contents, it notably doesn’t alter file extensions or metadata, a deviation from many established ransomware households.
Additional examination revealed a shared use of the Home windows Cryptographic API, particularly using BCrypt for key technology and encryption.
The ransomware leaves behind a ransom be aware (README.txt) with particulars on how victims can entry the attackers’ .onion portals utilizing offered credentials.
Regardless of operational similarities, together with the ransom be aware template, there isn’t a conclusive proof to recommend a deeper connection or shared codebase with the beforehand lively Underground Crew RaaS.
Based on Sentinel One, the hanging resemblance in HellCat and Morpheus payloads highlights the potential use of a shared builder software or codebase amongst associates.
This growth underscores the rising industrialization of ransomware, the place instruments and methods are more and more being shared amongst malicious actors.
Whereas the exact relationship between HellCat and Morpheus operators stays unclear, their actions underscore the escalating sophistication of RaaS operations and their skill to compromise various sectors.
HellCat and Morpheus symbolize a broader pattern within the evolution of ransomware, the place operational overlaps and shared assets blur the strains between distinct teams.
As each teams proceed to focus on enterprises and governmental entities, understanding their shared methodologies can play a pivotal position in bettering detection and response methods for safety professionals.
The cybersecurity group should stay vigilant in monitoring these rising threats to mitigate their impression successfully.
Integrating Utility Safety into Your CI/CD Workflows Utilizing Jenkins & Jira -> Free Webinar