Are HellCat and Morpheus Ransomware Gangs Sharing Code and Tactics?

Recent discoveries in the cybersecurity world have suggested a concerning trend – the emergence of ransomware gangs HellCat and Morpheus, which appear to be sharing code and infrastructure, thus pointing to a deeper level of coordination. Both groups surfaced around mid to late 2024, with researchers uncovering nearly identical ransomware payload structures, implying a shared resource or affiliation.

Shared Code and Operational Techniques

A key observation noted by researchers at SentinelOne is that ransomware payloads from both HellCat and Morpheus retain the original file extensions after encryption. This particular behavior is atypical for other ransomware families and has raised suspicions of a shared codebase or builder application between these two groups. Additionally, the ransom notes used by both gangs follow an identical format, saved as README.txt and opened via notepad, which further underscores a common operational protocol.

Targets and Attacks

HellCat, believed to be operated by notable members of the BreachForums community, has targeted prominent entities, exemplified by a significant attack on Telefónica in January 2025. Morpheus, on the other hand, maintains a lower profile as a semi-private Ransomware-as-a-Service (RaaS) operation. Despite launching a data leak site in December 2024, their activities trace back to September 2024. This resemblance in tactics suggests that affiliates might be leveraging common infrastructures for their attacks.

Similarities in Ransomware Payloads

The theory of a single affiliate behind both campaigns is further supported by the analysis of similar ransomware payloads uploaded to VirusTotal in December 2024. Though differing in victim-specific data and attacker details, the payloads exhibit identical behaviors. They focus on encrypting files and dropping a ransom note without changing file extensions or modifying system settings, strategies tailored to avoid detection.

Connection to Other Ransomware Groups

Interestingly, similarities have also been found between the notes from HellCat/Morpheus and those used by the Underground Team ransomware group, active since early to mid-2023. Despite the similarities in ransom note templates, the Underground Team’s ransomware payloads structurally and functionally differ from those of HellCat and Morpheus. This indicates no direct code sharing or partnership among the three groups but suggests a broader pattern of imitation or inspiration.

Implications of Increased Collaboration

The discoveries point to an increasingly interconnected yet fragmented ransomware ecosystem. The collaboration among various groups is partly driven by law enforcement disruptions of major RaaS operators, which has led to a densely packed and fiercely competitive marketplace. Affiliates are observed frequently shifting between RaaS platforms, reflecting the fluid and dynamic nature of the underground cybercrime environment.

Nation-State Actor Collaboration

Another alarming trend is the growing collaboration between nation-state actors and ransomware groups. These collaborations often involve sharing tactics, techniques, and procedures, further complicating efforts to combat cyber threats. The integration of advanced methods and strategies from nation-state actors into the arsenal of ransomware gangs poses a significant challenge for cybersecurity professionals.

Conclusion

Recent developments in cybersecurity have highlighted a worrisome trend: the appearance of two new ransomware groups, HellCat and Morpheus. These gangs seem to be collaborating closely, sharing both code and infrastructure, which suggests a higher level of coordination between them. Both HellCat and Morpheus emerged around mid to late 2024, and cybersecurity researchers have uncovered ransomware payloads from both groups that are nearly identical. This similarity indicates that they may be using the same resources or might even be affiliated with each other. This revelation is particularly concerning for security experts because it implies that these gangs could harness their combined expertise to create even more sophisticated and damaging ransomware attacks in the future. As these groups collaborate and evolve, the cybersecurity landscape becomes increasingly perilous, requiring even more robust defenses and proactive measures to protect sensitive data and systems. Therefore, organizations need to stay vigilant and continuously update their cybersecurity strategies to counteract these emerging threats effectively.

Explore more

Can Stablecoins Balance Privacy and Crime Prevention?

The emergence of stablecoins in the cryptocurrency landscape has introduced a crucial dilemma between safeguarding user privacy and mitigating financial crime. Recent incidents involving Tether’s ability to freeze funds linked to illicit activities underscore the tension between these objectives. Amid these complexities, stablecoins continue to attract attention as both reliable transactional instruments and potential tools for crime prevention, prompting a

AI-Driven Payment Routing – Review

In a world where every business transaction relies heavily on speed and accuracy, AI-driven payment routing emerges as a groundbreaking solution. Designed to amplify global payment authorization rates, this technology optimizes transaction conversions and minimizes costs, catalyzing new dynamics in digital finance. By harnessing the prowess of artificial intelligence, the model leverages advanced analytics to choose the best acquirer paths,

How Are AI Agents Revolutionizing SME Finance Solutions?

Can AI agents reshape the financial landscape for small and medium-sized enterprises (SMEs) in such a short time that it seems almost overnight? Recent advancements suggest this is not just a possibility but a burgeoning reality. According to the latest reports, AI adoption in financial services has increased by 60% in recent years, highlighting a rapid transformation. Imagine an SME

Trend Analysis: Artificial Emotional Intelligence in CX

In the rapidly evolving landscape of customer engagement, one of the most groundbreaking innovations is artificial emotional intelligence (AEI), a subset of artificial intelligence (AI) designed to perceive and engage with human emotions. As businesses strive to deliver highly personalized and emotionally resonant experiences, the adoption of AEI transforms the customer service landscape, offering new opportunities for connection and differentiation.

Will Telemetry Data Boost Windows 11 Performance?

The Telemetry Question: Could It Be the Answer to PC Performance Woes? If your Windows 11 has left you questioning its performance, you’re not alone. Many users are somewhat disappointed by computers not performing as expected, leading to frustrations that linger even after upgrading from Windows 10. One proposed solution is Microsoft’s initiative to leverage telemetry data, an approach that