Shared Code and Collaboration

HellCat and Morpheus are showing a concerning trend of shared infrastructure andtactics in the cybercriminal ecosystem.

Both gangs surfaced in mid to late 2024,with HellCat quickly gaining notoriety for targeting high-profile entities, including a significant ransomware attack on the telecommunications giant Telfonicain January 2025. Meanwhile, Morpheus, though less visible, launched a data leak site in December 2024, focusing on industries like pharmaceuticals and manufacturing.

Shared Code and Techniques

Recent research by SentinelOne has uncovered alarming similarities between the ransomware payloads of HellCat and Morpheus.

• Identical     Payloads: The payloads share almost     identical code, suggesting a common builder application or shared     infrastructure among affiliates.
• File     Extension Behavior: Uniquely, both     ransomware types leave original file extensions intact after encryption,     which is atypical for ransomware.
• Ransom     Notes: Both gangs utilize a similar template     for their ransom notes, saved as _README_.txt, and launched via     Notepad after encryption.

Ransomware-as-a-Service (RaaS)Landscape

The rise of these gangs reflects a more fragmented ransomware ecosystem, especially following law enforcement operations that have disrupted established RaaS groups like LockBit. The research indicates:

• Growing     Collaboration: There’s an increasing trend of ransomware groups sharing tactics, techniques, and procedures (TTPs).
• Affiliate     Movement: Affiliates frequently switch between different RaaS operators, contributing to a more crowded     marketplace.
• Nation-State     Involvement: There's also evidence of collaboration between nation-state actors and ransomware groups, further complicating the threat landscape.

The Financial Stakes

With ransom demands reportedly reaching up to 32 BTC (approximately $3 million), the implications for businesses and organizations are severe. The sophistication of these operations highlights the urgent need for robust cybersecurity measures.

Keeping Safe

• Implement     Multi-Factor Authentication (MFA):     Strengthening access controls can help mitigate risks.
• Regular     Security Audits: Conduct frequent     assessments of security protocols and systems.
• Employee     Training: Educate staff on recognizing     phishing attempts and other common attack vectors.

‍