Shared Code and Collaboration

HellCat and Morpheus are showing a concerning trend of shared infrastructure andtactics in the cybercriminal ecosystem.

Both gangs surfaced in mid to late 2024,with HellCat quickly gaining notoriety for targeting high-profile entities,including a significant ransomware attack on the telecommunications giant Telfonicain January 2025. Meanwhile, Morpheus, though less visible, launched a data leaksite in December 2024, focusing on industries like pharmaceuticals andmanufacturing.

Shared Code and Techniques

Recent research by SentinelOne hasuncovered alarming similarities between the ransomware payloads of HellCat andMorpheus.

• Identical     Payloads: The payloads share almost     identical code, suggesting a common builder application or shared     infrastructure among affiliates.
• File     Extension Behavior: Uniquely, both     ransomware types leave original file extensions intact after encryption,     which is atypical for ransomware.
• Ransom     Notes: Both gangs utilize a similar template     for their ransom notes, saved as _README_.txt, and launched via     Notepad after encryption.

Ransomware-as-a-Service (RaaS)Landscape

The rise of these gangs reflects a more fragmented ransomware ecosystem, especially following law enforcement operations that have disrupted established RaaS groups like LockBit. The research indicates:

• Growing     Collaboration: There’s an increasing trend of ransomware groups sharing tactics, techniques, and procedures (TTPs).
• Affiliate     Movement: Affiliates frequently switch between different RaaS operators, contributing to a more crowded     marketplace.
• Nation-State     Involvement: There's also evidence of collaboration between nation-state actors and ransomware groups, further complicating the threat landscape.

The Financial Stakes

With ransom demands reportedly reaching up to 32 BTC (approximately $3 million), the implications for businesses and organizations are severe. The sophistication of these operations highlights the urgent need for robust cybersecurity measures.

Keeping Safe

• Implement     Multi-Factor Authentication (MFA):     Strengthening access controls can help mitigate risks.
• Regular     Security Audits: Conduct frequent     assessments of security protocols and systems.
• Employee     Training: Educate staff on recognizing     phishing attempts and other common attack vectors.

‍