Experts Discover Shared Codebase Linking Morpheus and HellCat Ransomware Payloads

Recent research has exposed significant similarities between the ransomware payloads used by Morpheus and HellCat, two emerging ransomware operations that have quickly gained attention in the cybersecurity landscape. Both ransomware variants share an identical codebase, raising concerns about the growing trend of code-sharing and collaboration in the ransomware-as-a-service (RaaS) ecosystem.

The Investigation: Identical Payloads with Shared Origins

The discovery was made after researchers analyzed artifacts uploaded to VirusTotal in late December 2024. These artifacts, submitted by the same source, revealed that the Morpheus and HellCat ransomware payloads are nearly identical in structure and functionality.

These two payload samples are identical except for victim-specific data and the attacker contact details, the report highlighted, indicating that both ransomware groups may be leveraging the same tools or builder applications.

Who Are Morpheus and HellCat?

Morpheus and HellCat are relatively new entrants to the ransomware ecosystem. Morpheus emerged in October 2024, followed by HellCat in December 2024. Both groups operate under the RaaS model, which allows affiliates to use pre-developed ransomware payloads in exchange for a share of the ransom profits.

This model has fueled the rapid proliferation of ransomware groups, as it reduces the technical barriers for attackers. Affiliates can focus on distributing the ransomware and negotiating with victims, while developers provide the tools and infrastructure required to carry out the attacks.

Technical Analysis of the Ransomware

The payloads for Morpheus and HellCat are 64-bit portable executables. Both samples require a file path to be specified as an input argument during execution. Once executed, the ransomware encrypts files within the specified directory, but it is configured to exclude certain files and folders.

Notably, the ransomware bypasses the \Windows\System32 directory, a critical part of the Windows operating system, ensuring that the infected system remains functional. It also skips files with specific extensions, including .dll, .sys, .exe, .drv, .com, and .cat. This selective encryption approach minimizes the risk of rendering the victim's system completely unusable, which could hinder ransom negotiations.

One unusual characteristic of these ransomware variants is their decision not to alter the file extensions of encrypted files. While the file contents are fully encrypted, the original extensions and metadata remain intact. This strategy may be intended to make the encryption process less noticeable to victims initially, delaying detection.

Both Morpheus and HellCat use the Windows Cryptographic API to handle encryption. Specifically, they rely on the BCrypt algorithm to generate encryption keys. This approach ensures robust encryption, making it virtually impossible for victims to recover their files without the decryption key.

Links to Other Ransomware Groups

Interestingly, the ransom notes dropped by Morpheus and HellCat closely resemble those used by Underground Team, a ransomware group that emerged in 2023. While the ransom notes share the same template, the underlying payloads are structurally and functionally different.

This resemblance suggests that affiliates associated with Morpheus and HellCat may be repurposing tools or templates from other ransomware groups. Alternatively, it could indicate the use of a shared builder application, a tool that allows attackers to generate custom ransomware payloads with minimal effort.

Ransomware in 2024: A Fragmented Landscape

The emergence of Morpheus and HellCat reflects broader trends in the ransomware ecosystem. While law enforcement agencies have made significant efforts to dismantle major ransomware groups, such as REvil and Conti, these disruptions have led to the decentralization of operations.

Smaller, more agile ransomware groups are filling the void, often operating under the RaaS model. This shift has created a fragmented yet resilient landscape, where numerous small actors collaborate or compete for a share of the cybercrime economy.

Data from NCC Group highlights the scale of the ransomware threat. In December 2024 alone, a record 574 ransomware attacks were recorded, with notable activity from groups such as FunkSec (103 incidents), Cl0p (68), Akira (43), and RansomHub (41). This surge in activity defies the typical seasonal slowdown observed during the holiday period, signaling a more aggressive threat landscape heading into 2025.

Implications for Cybersecurity

The findings surrounding Morpheus and HellCat underscore the evolving challenges faced by cybersecurity professionals. The use of shared codebases and builder applications enables ransomware groups to scale their operations rapidly, making it difficult to track and attribute attacks.

Organizations must adopt a proactive approach to cybersecurity to mitigate these threats. This includes:

Implementing Endpoint Protection: Deploy advanced endpoint protection solutions that can detect and block ransomware before it encrypts files.

Regular Patching: Ensure that all software and operating systems are up to date to close vulnerabilities that ransomware can exploit.

Network Segmentation: Limit the spread of ransomware by segmenting critical systems and data from the rest of the network.

Backup Strategies: Maintain regular, offline backups of critical data to ensure recovery in the event of an attack.

Employee Training: Educate employees about phishing and other common attack vectors to reduce the likelihood of initial compromise.

The Bigger Picture

The rise of Morpheus and HellCat also highlights the need for greater collaboration among cybersecurity professionals and law enforcement agencies. Sharing threat intelligence and pooling resources can help disrupt ransomware operations and bring perpetrators to justice.

Additionally, organizations should consider investing in threat hunting and incident response capabilities to detect and mitigate attacks before they cause significant damage.

As the ransomware landscape becomes increasingly fragmented, defenders must adapt to the changing tactics and techniques used by attackers. By staying informed and implementing best practices, organizations can reduce their risk and build resilience against the growing ransomware threat.