HellCat and Morpheus are showing a concerning trend of shared infrastructure and tactics in the cybercriminal ecosystem.
Both gangs surfaced in mid to late 2024, with HellCat quickly gaining notoriety for targeting high-profile entities, including a significant ransomware attack on the telecommunications giant Telfonica in January 2025. Meanwhile, Morpheus, though less visible, launched a data leak site in December 2024, focusing on industries like pharmaceuticals and manufacturing.
Shared Code and Techniques
Recent research by SentinelOne has uncovered alarming similarities between the ransomware payloads of HellCat and Morpheus.
· Identical Payloads: The payloads share almost identical code, suggesting a common builder application or shared infrastructure among affiliates.
· File Extension Behavior: Uniquely, both ransomware types leave original file extensions intact after encryption, which is atypical for ransomware.
· Ransom Notes: Both gangs utilize a similar template for their ransom notes, saved as _README_.txt, and launched via Notepad after encryption.
Ransomware-as-a-Service (RaaS) Landscape
The rise of these gangs reflects a more fragmented ransomware ecosystem, especially following law enforcement operations that have disrupted established RaaS groups like LockBit. The research indicates:
· Growing Collaboration: There’s an increasing trend of ransomware groups sharing tactics, techniques, and procedures (TTPs).
· Affiliate Movement: Affiliates frequently switch between different RaaS operators, contributing to a more crowded marketplace.
· Nation-State Involvement: There's also evidence of collaboration between nation-state actors and ransomware groups, further complicating the threat landscape.
The Financial Stakes
With ransom demands reportedly reaching up to 32 BTC (approximately $3 million), the implications for businesses and organizations are severe. The sophistication of these operations highlights the urgent need for robust cybersecurity measures.
Keeping Safe
· Implement Multi-Factor Authentication (MFA): Strengthening access controls can help mitigate risks.
· Regular Security Audits: Conduct frequent assessments of security protocols and systems.
· Employee Training: Educate staff on recognizing phishing attempts and other common attack vectors.
.png)
.png)