An research of HellCat and Morpheus ransomware operations has printed that associates related to the respective cybercrime entities are the usage of similar code for his or her ransomware payloads.
The findings come from SentinelOne, which analyzed artifacts uploaded to the VirusTotal malware scanning platform by way of the similar submitter in opposition to the tip of December 2024.
“Those two payload samples are similar aside from for sufferer explicit knowledge and the attacker touch main points,” safety researcher Jim Walter stated in a brand new record shared with The Hacker Information.
Each HellCat and Morpheus are nascent entrants to the ransomware ecosystem, having emerged in October and December 2024, respectively.
A deeper exam of the Morpheus/HellCat payload, a 64-bit moveable executable, has printed that each samples require a trail to be specified as an enter argument.
They’re each configured to exclude the WindowsSystem32 folder, in addition to a hard-coded record of extensions from the encryption procedure, specifically .dll, .sys, .exe, .drv, .com, and .cat, from the encryption procedure.
“An ordinary function of those Morpheus and HellCat payloads is that they don’t modify the extension of centered and encrypted information,” Walter stated. “The report contents will probably be encrypted, however report extensions and different metadata stay intact after processing by way of the ransomware.”
Moreover, Morpheus and HellCat samples depend at the Home windows Cryptographic API for key era and report encryption. The encryption secret is generated the usage of the BCrypt set of rules.
Barring encrypting the information and losing similar ransom notes, no different device changes are made to the affected methods, reminiscent of converting the desktop wallpaper or putting in endurance mechanisms.
SentinelOne stated the ransom notes for HellCat and Morpheus practice the similar template as Underground Workforce, any other ransomware scheme that sprang forth in 2023, despite the fact that the ransomware payloads themselves are structurally and functionally other.
“HellCat and Morpheus RaaS operations seem to be recruiting not unusual associates,” Walter stated. “Whilst it’s not conceivable to evaluate the overall extent of interplay between the house owners and operators of those services and products, it sounds as if {that a} shared codebase or perhaps a shared builder software is being leveraged by way of associates tied to each teams.”
The advance comes as ransomware continues to thrive, albeit in an more and more fragmented model, in spite of ongoing makes an attempt by way of regulation enforcement businesses to take on the threat.
“The financially motivated ransomware ecosystem is more and more characterised by way of the decentralization of operations, a development spurred by way of the disruptions of bigger teams,” Trustwave stated. “This shift has prepared the ground for smaller, extra agile actors, shaping a fragmented but resilient panorama.”
Knowledge shared by way of NCC Team displays {that a} report 574 ransomware assaults had been seen in December 2024 on my own, with FunkSec accounting for 103 incidents. One of the vital different prevalent ransomware teams had been Cl0p (68), Akira (43), and RansomHub (41).
“December is in most cases a far quieter time for ransomware assaults, however ultimate month noticed the perfect choice of ransomware assaults on report, turning that trend on its head,” Ian Usher, affiliate director of Risk Intelligence Operations and Provider Innovation at NCC Team, stated.
“The upward thrust of recent and competitive actors, like FunkSec, who’ve been at the vanguard of those assaults is alarming and suggests a extra turbulent danger panorama heading into 2025.”