Two just lately recognized ransomware gangs are utilizing payloads that include nearly similar code, suggesting that the teams’ associates are utilizing shared infrastructure.
The teams, named HellCat and Morpheus, emerged in mid to late 2024.
SentinelOne researchers additionally recognized similarities within the techniques utilized by the 2 teams and the Underground Staff ransomware-as-a-service (RaaS) operation.
The findings add to different observations round rising associations and overlap between completely different ransomware teams and their associates.
This development comes because the ransomware ecosystem turns into extra fragmented following legislation enforcement operations which have disrupted a variety of high-profile RaaS teams, equivalent to LockBit.
“HellCat and Morpheus payloads are nearly similar and each are atypical to different ransomware households in leaving unique file extensions in place after encryption,” the researchers wrote.
“Whereas it isn’t potential to evaluate the complete extent of interplay between the house owners and operators of those ransomware companies, it seems that a shared codebase or presumably a shared builder software is being leveraged by associates tied to each teams.”
Shared Approaches Between HellCat and Morpheus
The HellCat group emerged in mid-2024 and its main operators are considered high-ranking members of the BreachForums neighborhood and its numerous factions.
The group has thus far been targeted on “large recreation” targets and authorities entities. HellCat actors have been reportedly behind a ransomware assault on telco large Telfonica in January 2025, leading to over 236,000 traces of buyer information being stolen.
Morpheus launched a knowledge leak website in December 2024, though the group’s exercise could be tracked again to at the very least September of that yr.
The researchers described Morpheus as a “semi-private” RaaS, with its public branding efforts far much less seen than Hellcat.
SentinelOne noticed two related ransomware payloads uploaded to VirusTotal on December 22 and 30, 2024. The one variations between the payloads have been sufferer particular information and the attacker contact particulars.
The researchers mentioned that based mostly on this and different telemetry information, it’s doubtless that the samples have been uploaded by the identical affiliate dabbling in each Morpheus and HellCat campaigns.
Each the payloads behaved in the identical manner upon execution. An uncommon attribute of them is that they don’t alter the extension of focused and encrypted recordsdata.
Moreover, there aren’t any additional system modifications made past the file encryption and ransom notice drop. These traits are designed to keep away from detection in goal techniques.
The HellCat and Morpheus ransom notes additionally share traits. The ransom notes are written to disk as _README_.txt. As soon as all obtainable recordsdata, on all obtainable volumes, have been processed, the ransomware notice for each will likely be launched by way of notepad from the C:UsersPublic_README_.txt occasion of the file.
Moreover, the notes observe the identical template and movement, with the same amount of sources listed throughout every notice.
Similarities with Underground Staff Ransomware
The researchers additionally recognized similarities between these ransom notes templates and people utilized by the Underground Staff group, which has been in operation since early to mid-2023.
Regardless of this similarity, the ransomware payloads analyzed from the Underground Staff are structurally and functionally completely different from HellCat and Morpheus samples.
Whereas it’s potential there are associates which might be tied to Underground Staff and Hellcat/Morpheus, the researchers mentioned there’s inadequate proof to help the notion that there’s any form of shared codebase or partnerships that contain all three teams.
Rising Overlap in Ransomware Ecosystem
The brand new findings present additional demonstration of the rising collaboration and shared techniques, methods and procedures (TTPs) within the ransomware ecosystem.
This consists of associates often transferring between completely different RaaS operators, amid a extra crowded market.
In November 2024, SentinelLabs noticed the CyberVolk hacktivist collective promoting its branded ransomware, which was derived from code developed by one other hacktivist group.
The examine additionally CyberVolk associations with different ransomware households, together with serving to to advertise their operations.
Researchers have additionally noticed rising collaboration between nation-state actors and ransomware teams, together with shared TTPs and operations.
