Introduction
In December 2024 [5], two ransomware-as-a-service (RaaS) operations [1] [2] [3] [7], HellCat and Morpheus [1] [2] [3] [4] [5] [7], gained significant attention for their attacks on high-value sectors such as pharmaceuticals, manufacturing [7], and government entities [7]. These groups, which emerged earlier in the year, exhibit notable operational similarities, particularly in their payloads and encryption methods, suggesting a potential shared infrastructure [6]. This development highlights the increasing industrialization of ransomware and the challenges it poses to cybersecurity.
Description
In late December 2024 [5], two ransomware-as-a-service operations [1] [2] [7], HellCat and Morpheus [1] [2] [3] [4] [5] [7], gained notoriety for targeting high-value sectors [7], including pharmaceuticals [7], manufacturing [7], and government entities [7]. Both groups emerged in mid to late 2024 and have been identified as having significant operational similarities, particularly in their payloads [4], which utilize nearly identical code and share an almost identical codebase linked to the same submitter ID. Their payloads consist of standard 64-bit portable executable (PE) files, approximately 18KB in size [3] [4], that require specific execution parameters [5], including a designated path argument.
The execution process for Morpheus involves a file named “er.bat,” which details the copying of files related to nginx and Trend Micro products to the target system. Uniquely, both HellCat and Morpheus retain original file extensions and metadata post-encryption, which is atypical for ransomware families [2]. They employ a hard-coded list of file extensions [3] [4], such as dll [6], sys, and exe [6], to exclude critical system folders from encryption [3] [7], specifically avoiding files in the \Windows\System32 directory [4]. The encryption process utilizes the Windows Cryptographic API [3] [4], specifically the BCrypt algorithm for key generation and file encryption [6], similar to methods used by earlier ransomware families like LockBit and ALPHV [4]. This approach ensures that file contents are encrypted without altering file extensions, minimizing system disruption while maximizing leverage over victims [7].
The ransom notes generated by both groups are nearly identical [4] [5], following a consistent template with variations only in victim-specific details and attacker contact information. Each note instructs victims to log into an attacker-controlled onion portal using provided credentials [4] [7]. Ransom demands from Morpheus have reportedly reached up to $3 million, reflecting the high stakes involved in their operations. Despite some similarities to the Underground Team ransomware gang [1], which suggest a potential shared builder application or codebase [1], HellCat and Morpheus exhibit structurally and functionally different payloads [1], indicating independent development [1].
The similarities in payload structure [4] [5], encryption methods [4] [6], and ransom note formatting suggest a significant interaction between their operations, indicating the potential for a shared infrastructure among affiliates of both groups. This trend reflects a growing industrialization of ransomware [2] [3], particularly as law enforcement actions have disrupted several high-profile ransomware-as-a-service (RaaS) groups [2], leading to increased fragmentation within the landscape and underscoring the need for enhanced threat detection and defense strategies.
Conclusion
The emergence of HellCat and Morpheus underscores the evolving threat landscape of ransomware, characterized by increased sophistication and collaboration among cybercriminal groups. The operational similarities between these groups suggest a shared infrastructure, which complicates efforts to combat such threats. As ransomware continues to industrialize, it is imperative for organizations to bolster their cybersecurity measures, focusing on threat detection and defense strategies [1]. Additionally, law enforcement and international cooperation are crucial in disrupting these operations and mitigating their impact on critical sectors.
References
[1] https://www.scworld.com/brief/hellcat-morpheus-raas-operations-leverage-similar-payloads
[2] https://www.infosecurity-magazine.com/news/ransomware-shared-code-ransom-notes/
[3] https://gbhackers.com/ransomware-share-identical-payloads-for-attacks/
[4] https://www.sentinelone.com/blog/hellcat-and-morpheus-two-brands-one-payload-as-ransomware-affiliates-drop-identical-code/
[5] https://cyberpress.org/hellcat-and-morpheus-ransomware-using-identical-payload/
[6] https://thesecmaster.com/blog/morpheus-and-hellcat-ransomware-payloads-reveal-shared-codebase
[7] https://siliconangle.com/2025/01/23/sentinelone-report-highlights-shared-tactics-hellcat-morpheus-ransomware-groups/
