Morpheus and HellCat, two new ransomware groups, have been discovered sharing identical code in their payloads. This revelation highlights the interconnected nature of emerging ransomware operations. A detailed analysis by researchers found that both ransomware types use the same codebase, differing only in victim-specific data and attacker contact details.
These ransomware families first appeared in late 2024, with HellCat emerging in October and Morpheus following in December. Both use a 64-bit executable file requiring a specified path as an input argument. Interestingly, their encryption process excludes the \Windows\System32 folder and specific file types such as .dll, .sys, and .exe. Additionally, they rely on the Windows Cryptographic API and the BCrypt algorithm for file encryption.
An unusual characteristic of these payloads is their retention of original file extensions and metadata after encryption. This approach deviates from the norm, where ransomware typically alters file extensions. Beyond encrypting data, neither Morpheus nor HellCat modifies system settings, such as changing desktop wallpapers or establishing persistence mechanisms.
The ransom notes for both groups follow a template previously used by Underground Team, a ransomware entity active since 2023. However, the payloads of HellCat and Morpheus remain structurally distinct. Researchers suggest that affiliates of these groups might be using a shared codebase or a common builder tool to generate their payloads.
The ransomware landscape continues to fragment, driven by the decentralization of operations and the rise of smaller, agile groups. Recent data highlights a record 574 ransomware attacks in December 2024 alone. Among the most active groups were FunkSec, Cl0p, Akira, and RansomHub. Experts warn that the rise of aggressive newcomers like FunkSec indicates a more chaotic threat landscape for 2025.
Preventing the Threat
To reduce ransomware risks, organizations must adopt robust security measures. These include regular software updates, strong password policies, and network monitoring for suspicious activity. Employee training to recognize phishing and other social engineering tactics is vital. Additionally, maintaining offline backups and limiting access to critical systems can significantly reduce potential damage.
