An evaluation of HellCat and Morpheus ransomware operations has revealed that associates related to the respective cybercrime entities are utilizing equivalent code for his or her ransomware payloads.
The findings come from SentinelOne, which analyzed artifacts uploaded to the VirusTotal malware scanning platform by the identical submitter in the direction of the top of December 2024.
“These two payload samples are equivalent aside from sufferer particular knowledge and the attacker contact particulars,” safety researcher Jim Walter stated in a brand new report shared with The Hacker Information.
Each HellCat and Morpheus are nascent entrants to the ransomware ecosystem, having emerged in October and December 2024, respectively.
A deeper examination of the Morpheus/HellCat payload, a 64-bit moveable executable, has revealed that each samples require a path to be specified as an enter argument.
They’re each configured to exclude the WindowsSystem32 folder, in addition to a hard-coded checklist of extensions from the encryption course of, particularly .dll, .sys, .exe, .drv, .com, and .cat, from the encryption course of.
“An uncommon attribute of those Morpheus and HellCat payloads is that they don’t alter the extension of focused and encrypted recordsdata,” Walter stated. “The file contents can be encrypted, however file extensions and different metadata stay intact after processing by the ransomware.”
Moreover, Morpheus and HellCat samples depend on the Home windows Cryptographic API for key technology and file encryption. The encryption secret’s generated utilizing the BCrypt algorithm.
Barring encrypting the recordsdata and dropping equivalent ransom notes, no different system modifications are made to the affected techniques, comparable to altering the desktop wallpaper or establishing persistence mechanisms.
SentinelOne stated the ransom notes for HellCat and Morpheus comply with the identical template as Underground Group, one other ransomware scheme that sprang forth in 2023, though the ransomware payloads themselves are structurally and functionally completely different.
“HellCat and Morpheus RaaS operations look like recruiting frequent associates,” Walter stated. “Whereas it’s not potential to evaluate the complete extent of interplay between the homeowners and operators of those providers, it seems that a shared codebase or probably a shared builder software is being leveraged by associates tied to each teams.”
The event comes as ransomware continues to thrive, albeit in an more and more fragmented style, regardless of ongoing makes an attempt by regulation enforcement businesses to sort out the menace.
“The financially motivated ransomware ecosystem is more and more characterised by the decentralization of operations, a development spurred by the disruptions of bigger teams,” Trustwave stated. “This shift has paved the best way for smaller, extra agile actors, shaping a fragmented but resilient panorama.”
Information shared by NCC Group exhibits {that a} report 574 ransomware assaults have been noticed in December 2024 alone, with FunkSec accounting for 103 incidents. A few of the different prevalent ransomware teams have been Cl0p (68), Akira (43), and RansomHub (41).
“December is normally a a lot quieter time for ransomware assaults, however final month noticed the best variety of ransomware assaults on report, turning that sample on its head,” Ian Usher, affiliate director of Menace Intelligence Operations and Service Innovation at NCC Group, stated.
“The rise of recent and aggressive actors, like FunkSec, who’ve been on the forefront of those assaults is alarming and suggests a extra turbulent menace panorama heading into 2025.”