Two Brands, One Payload as Ransomware Affiliates Drop Identical Code

Jan. 24, 2025, 8:20 a.m.

Description

Recent months have seen increased activity in new ransomware operations, including HellCat and Morpheus. Analysis of payloads from both operations reveals that affiliates are using almost identical code. The ransomware samples, uploaded to VirusTotal in December 2024, share similarities in behavior and structure. Both use Windows Cryptographic API for encryption, exclude certain file extensions and folders, and do not alter file extensions after encryption. The ransom notes follow a similar template, with slight differences in contact details. Despite similarities with Underground Team ransomware notes, there's insufficient evidence to confirm a direct connection. Understanding shared code across these groups can improve detection efforts and threat intelligence.

External References

https://www.sentinelone.com/blog/hellcat-and-morpheus-two-brands-one-payload-as-ransomware-affiliates-drop-identical-code/
https://otx.alienvault.com/pulse/6792ae9081af6e87af0a05f4
Tags
ransomware
raas
2025-01-23
hellcat
morpheus

Date

  • Created: Jan. 23, 2025, 9:03 p.m.
  • Published: Jan. 23, 2025, 9:03 p.m.
  • Modified: Jan. 24, 2025, 8:20 a.m.

Indicators

  • izsp6ipui4ctgxfugbgtu65kzefrucltyfpbxplmfybl5swiadpljmyd.onion
  • hellcakbszllztlyqbjzwcbdhfrodx55wq77kmftp4bhnhsnn5r3odad.onion
Download all indicators here!

Attack Patterns

  • Morpheus
  • HellCat
  • HellCat and Morpheus

Additional Informations

  • Pharmaceutical
  • Manufacturing
  • Italy