Full Report
An analysis of HellCat and Morpheus ransomware operations has revealed that affiliates associated with the respective cybercrime entities are using identical code for their ransomware payloads. The findings come from SentinelOne, which analyzed artifacts uploaded to the VirusTotal malware scanning platform by the same submitter towards the end of December 2024. "These two payload samples are
Analysis Summary
# Tool/Technique: HellCat and Morpheus Ransomware (Shared Payload)
## Overview
HellCat and Morpheus are nascent ransomware operations that appear to utilize an identical ransomware payload. This finding suggests that affiliates associated with both cybercrime entities are employing a shared codebase or builder application, indicating a potential convergence or shared infrastructure within the ransomware ecosystem.
## Technical Details
- Type: Malware Family (Ransomware)
- Platform: Windows (Payload is a 64-bit portable executable)
- Capabilities: File encryption, dropping ransom notes.
- First Seen: HellCat emerged in October 2024; Morpheus emerged in December 2024.
## MITRE ATT&CK Mapping
Direct mapping is inferred based on ransomware functionality:
- T1486 - Data Encrypted for Impact
## Functionality
### Core Capabilities
- **Input Requirement:** Requires a file path as an input argument to execute encryption.
- **File Exclusion:** Configured to skip encryption for files within the `\Windows\System32` directory.
- **Extension Exclusion:** Excludes files with extensions: `.dll`, `.sys`, `.exe`, `.drv`, `.com`, and `.cat` from encryption.
- **Encryption Method:** Utilizes the Windows Cryptographic API for key generation and file encryption, specifically employing the **BCrypt** algorithm for key derivation.
- **Non-Modification:** Does not alter the extensions of encrypted files; encrypted files retain their original extensions and metadata.
- **Ransom Note:** Drops a ransom note using a template similar to the "Underground Team" ransomware scheme.
### Advanced Features
- **Shared Codebase:** The most advanced feature noted is the structural and functional identity between the HellCat and Morpheus payloads, pointing to shared tooling or affiliate recruitment.
- **Minimal System Modification:** Barring encryption and dropping notes, the samples do not appear to implement persistence mechanisms or change desktop backgrounds.
## Indicators of Compromise (Inferred/Behavioral)
- File Hashes: [Not explicitly listed in the text]
- File Names: [Not explicitly listed in the text]
- Registry Keys: [Not explicitly listed in the text]
- Network Indicators: [Not explicitly listed in the text]
- Behavioral Indicators:
- Execution requiring a target path argument.
- Attempting to access or modify files with specific extensions (`.dll`, `.sys`, etc.) or paths (`\Windows\System32`).
- Use of key generation functions related to the BCrypt API.
- Dropping ransom notes matching the identified template.
## Associated Threat Actors
- HellCat affiliates
- Morpheus affiliates
- Connections noted to the "Underground Team" ransomware scheme via ransom note template similarity.
## Detection Methods
- Signature-based detection: Signatures for the specific 64-bit PE binaries.
- Behavioral detection: Detection of processes utilizing BCrypt functions for mass file encryption while excluding specific system file types and directories.
- YARA rules: Rules targeting the unique structure or embedded strings correlated with the shared builder.
## Mitigation Strategies
- **Patching/Updates:** While not directly addressed, general endpoint security hygiene is crucial.
- **Backup & Recovery:** Maintaining immutable, tested backups mitigates the impact of encryption.
- **Access Control:** Principle of Least Privilege to limit the scope of file encryption by potentially compromised accounts.
- **Network Segmentation:** Limiting lateral movement reduces the likelihood of widespread deployment.
## Related Tools/Techniques
- Underground Team Ransomware (Shared ransom note template)
- General Ransomware as a Service (RaaS) operations, characterized by shared tooling among affiliates.