Analysis of the HellCat and Morpheus ransomware operations revealed that affiliates associated with the respective cybercrime actors use identical code for their ransomware.
The findings come from SentinelOne, which analyzed artifacts uploaded to the VirusTotal malware scanning platform by the same author in late December 2024.
“These two payload samples are identical except for the victim’s specific details and the attacker’s contact details,” security researcher Jim Walter said in a new report shared with The Hacker News.
Both HellCat and Morpheus are new entrants to the ransomware ecosystem, appearing in October and December 2024, respectively.
Further examination of the Morpheus/HellCat payload, a 64-bit portable executable, revealed that both samples require a path as an input argument.
They are both configured to exclude the \Windows\System32 folder as well as a hard-coded list of extensions, namely .dll, .sys, .exe, .drv, .com, and .cat, from the encryption process.
“An unusual characteristic of these Morpheus and HellCat payloads is that they do not change the extension of the target and encrypted files,” Walter said. “The file contents will be encrypted, but the file extensions and other metadata will remain intact after being processed by the ransomware.”
In addition, the Morpheus and HellCat samples rely on the Windows Cryptographic API to generate keys and encrypt files. The encryption key is generated using BCrypt algorithm.
Except for encrypting files and removing identical ransom notes, no other system modifications are made to the affected systems, such as changing desktop wallpapers or adjusting storage mechanisms.
SentinelOne said the ransom notes for HellCat and Morpheus follow the same pattern as Underground teamanother ransomware scheme that emerged in 2023, although the ransomware payload itself is structurally and functionally different.
“HellCat and Morpheus RaaS operations appear to be recruiting common partners,” Walter said. “While it is impossible to assess the full extent of interaction between the owners and operators of these services, it appears that a common code base, or perhaps a common builder program, is used by partners associated with both groups.”
The development comes at a time when ransomware continues to thrive, albeit in an increasingly fragmented fashion, despite law enforcement’s ongoing efforts to combat the threat.
“The financially motivated ransomware ecosystem is increasingly characterized by decentralized operations, a trend driven by the disruption of larger groups” — Trustwave said. “This shift has paved the way for smaller, more nimble actors to shape a fragmented but resilient landscape.”
Data shared by NCC Group shows that a record 574 ransomware attacks were recorded in December 2024 alone, with FunkSec they account for 103 incidents. Some of the other common ransomware groups are Cl0p (68), Akira (43), and RansomHub (41).
“December is usually a much quieter time for ransomware attacks, but last month saw the highest number of ransomware attacks, turning that pattern on its head,” Ian Usher, deputy director of threat intelligence operations and innovation services at NCC Group, said.
“The emergence of new and aggressive actors like FunkSec, which have been at the forefront of these attacks, is alarming and points to a more turbulent threat in 2025.”
