Jan 23, 2025Ravie LakshmananThreat Intelligence / Data Breach
According to an analysis of the ransomware operations carried out by HellCat and Morpheus, affiliates linked to the particular hacking organizations use the same code for their ransomware payloads.
SentinelOne, which analyzed artifacts submitted to the VirusTotal ransomware monitoring system by the same submitter toward the end of December 2024, has the findings.
In a recent statement shared with The Hacker News, security researcher Jim Walter stated that” these two load examples are identical with the exception of the attacker’s contact information and victim-specific data.”
Both and are emerging newcomers to the ransom habitat, having emerged in October and December 2024, both.
A deeper assessment of the Morpheus/HellCat load, a 64-bit convenient file, has revealed that both samples require a course to be specified as an input discussion.
They are both configured to exclude the WindowsSystem32 folder, as well as a hard-coded list of extensions from the encryption process, namely .dll, .sys, .exe ,.drv ,.com, and.cat, from the encryption process.
These Morpheus and HellCat payloads don’t alter the extension of precise and encrypted files, according to Walter, who noted an unusual quality of them. The document contents may be encrypted, but document extensions and other metadata remain alive after the ransomware processes them.
However, Morpheus and HellCat examples rely on the Windows Cryptographic API for important era and folder encryption. The algorithms is used to generate the encryption key.
No additional system modifications are made to the affected systems, including changing the desktop wallpaper or setting up resilience systems, aside from encrypting the data and dropping similar compensation notes.
Despite the differences in the malware payloads themselves, SentinelOne and protection scientist Rakesh Krishnan that the payment notes for HellCat and Morpheus are similar to those for Underwater Team, another malware scheme from 2023.
” HellCat and Morpheus RaaS activities appear to be recruiting common sponsors”, Walter said. It appears that a shared software or possibly a shared builder program is being leveraged by affiliates tied to both groups, despite it being impossible to fully assess the full amount of interaction between the owners and operators of these services.
Despite ongoing efforts by law enforcement to combat the menace, ransomware continues to thrive, though in an increasingly fragmented manner.
According to Trustwave,” the decentralization of operations, a trend fueled by the disruptions of larger groups,” is becoming more prevalent in the financially motivated ransomware ecosystem. ” This shift has paved the way for smaller, more agile actors, shaping a fragmented yet resilient landscape”.
Data shared by NCC Group that a record 574 ransomware attacks were observed in December 2024 alone, with accounting for 103 incidents. Some of the other prevalent ransomware groups were Cl0p ( 68 ), Akira ( 43 ), and RansomHub ( 41 ).
” December is typically a much quieter month for ransomware attacks, but last month saw the highest number of ransomware attacks on record, turning that pattern on its head,” Ian Usher, associate director of Threat Intelligence Operations and Service Innovation at NCC Group.
The rise of “new and aggressive actors,” like FunkSec, who have been leading these attacks, is alarming and suggests a more turbulent threat landscape in 2025.
Found this article interesting? Follow us on and Twitter to access more exclusive content we post.