Exposed: HellCat and Morpheus Ransomware Share Identical Source Code

Exposed: HellCat and Morpheus Ransomware Share Identical Source Code

HellCat and Morpheus Ransomware Operations Share Identical Code, Analysis Reveals

Recent analysis by SentinelOne has uncovered that affiliates of HellCat and Morpheus ransomware operations are utilizing identical code in their ransomware payloads. Both groups, which emerged in late 2024, show remarkable similarities in their technical implementation.

Key Technical Findings:
– Both ransomware variants operate as 64-bit portable executables
– They exclude \Windows\System32 folder and specific file extensions (.dll, .sys, .exe, .drv, .com, .cat)
– Encrypted files maintain their original extensions and metadata
– Implementation uses Windows Cryptographic API with BCrypt algorithm
– No additional system modifications or persistence mechanisms are deployed

The ransom notes follow a template similar to Underground Team ransomware, though the payload structures differ. This suggests a shared codebase or builder application between affiliates of both groups.

Industry Impact:
December 2024 witnessed a record 574 ransomware attacks, with emerging groups like FunkSec leading with 103 incidents, followed by Cl0p (68), Akira (43), and RansomHub (41). This unprecedented activity indicates a shift toward a more fragmented yet resilient ransomware ecosystem, characterized by smaller, agile operators replacing larger disrupted groups.

The findings highlight the evolving nature of ransomware operations and suggest an increasingly complex threat landscape for 2025.

Share This Article