Morpheus and HellCat Ransomware Payloads Reveal Shared Codebase

Cybersecurity researchers have uncovered significant similarities between Morpheus and HellCat ransomware operations, revealing that their affiliates are utilizing nearly identical code for ransomware payloads.

The discovery comes from a detailed analysis by SentinelOne, which examined artifacts uploaded to VirusTotal towards the end of December 2024. Both emerging ransomware-as-a-service (RaaS) operations have demonstrated remarkably consistent characteristics in their malware deployment strategies.

Researchers found that the payload samples were identical except for victim-specific data and attacker contact details. Both payloads are 64-bit portable executable files requiring a specific path argument for execution and share unique encryption characteristics.

An unusual feature of these ransomware variants is their approach to file encryption. Unlike typical ransomware that modifies file extensions, these payloads encrypt file contents while leaving extensions and metadata unchanged. They are configured to exclude specific file types like .dll, .sys, and .exe, and avoid encrypting the Windows\System32 folder.

The encryption mechanism relies on the Windows Cryptographic API, using the BCrypt algorithm for key generation and file encryption. Beyond encrypting files and dropping ransom notes, no additional system modifications are implemented.

Interestingly, the ransom notes follow a nearly identical template, suggesting a potential shared infrastructure or builder application among the ransomware affiliates. This development highlights the increasingly fragmented and collaborative nature of the ransomware ecosystem.

Security experts suggest that while the full extent of interaction between Morpheus and HellCat operators remains unclear, the shared codebase indicates a potential collaborative approach among cybercriminal groups.

The findings underscore the evolving tactics of ransomware operators, who continue to adapt and share techniques to maximize their operational effectiveness. As these groups become more sophisticated, cybersecurity professionals must remain vigilant and continuously update their threat detection strategies.

Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this. 

You may also like these articles: Here are the 5 most contextually relevant blog posts: