HellCat and Morpheus Ransomware Using Identical Payloads for Infection

The cybersecurity landscape has witnessed a surge in ransomware activity over the past six months, driven by new actors and the resurgence of established groups.

Notably, the emergence of ransomware families like FunkSec, Nitrogen, and Termite has been accompanied by the reappearance of Cl0p and the rollout of LockBit 4.0.

Simultaneously, Ransomware-as-a-Service (RaaS) offerings such as HellCat and Morpheus have garnered increased attention, with HellCat operators actively working to position their service as a “reputable” brand in the cybercrime economy.

High-Profile Targets and Public Branding

HellCat ransomware, launched in mid-2024, is linked to high-ranking BreachForums members, including personas like Rey, Pryx, Grep, and IntelBroker.

The operators are known for targeting “big game” organizations, including government entities, while wielding direct media coverage and unconventional ransom demands to solidify their presence in the crimeware ecosystem.

Researchers highlight the public-facing strategies HellCat employs to augment its reputation.

By leveraging recognizable branding techniques and targeting high-value victims, HellCat has climbed the ranks of the ransomware hierarchy.

Unlike HellCat, Morpheus RaaS, which launched its data leaks site (DLS) in December 2024, operates semi-privately with less emphasis on public branding.

The group’s attacks have primarily focused on the pharmaceutical and manufacturing sectors in Italy, leveraging their ransomware to compromise virtual ESXi environments.

Despite its understated profile, Morpheus affiliates have issued ransom demands as high as 32 BTC (approximately $3 million USD).

Shared Affiliates

In late December 2024, researchers identified two highly similar ransomware payloads uploaded to VirusTotal, one on December 22 and the other on December 30.

Both payloads, linked to the same submitter ID, exhibit an almost identical codebase, indicating the involvement of a shared affiliate working across both HellCat and Morpheus operations.

Upon analysis, the payloads were found to be standard 64-bit PE files (~18KB in size) requiring specific execution parameters.

A further file, “er.bat,” uploaded by the same user on December 31, detailed the execution process, revealing steps to deploy Morpheus ransomware by copying files associated with nginx and Trend Micro products to a target system’s local directory.

Interestingly, while encrypting file contents, neither HellCat nor Morpheus ransomware alters the file extensions, an atypical behavior among ransomware families.

Identical Ransomware Payloads
HellCat-encrypted files, no extension change

Encryption in both cases leverages the Windows Cryptographic API (BCrypt), a method also employed by earlier LockBit and ALPHV versions.

According to the Sentinel One, the ransomware excludes certain file extensions (e.g., .dll, .sys) and operating system directories (\Windows\System32) from encryption.

The ransom notes generated by HellCat and Morpheus follow a nearly identical template, with victims instructed to log in to specified .onion portals using credentials provided in the note.

Identical Ransomware Payloads
Morpheus Ransom note displayed post-encryption

Both ransomware families showcase operation-specific contact details while maintaining consistency in layout and flow.

Researchers note similarities in ransom note templates between HellCat, Morpheus, and another RaaS group, Underground Team.

Despite the resemblance, payload structures and functionalities differ, and there is no conclusive evidence of direct collaboration or a shared codebase between the groups.

Also Read:

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here