Are HellCat and Morpheus Ransomware Gangs Sharing Code and Tactics?

Recent discoveries in the cybersecurity world have suggested a concerning trend – the emergence of ransomware gangs HellCat and Morpheus, which appear to be sharing code and infrastructure, thus pointing to a deeper level of coordination. Both groups surfaced around mid to late 2024, with researchers uncovering nearly identical ransomware payload structures, implying a shared resource or affiliation.

Shared Code and Operational Techniques

A key observation noted by researchers at SentinelOne is that ransomware payloads from both HellCat and Morpheus retain the original file extensions after encryption. This particular behavior is atypical for other ransomware families and has raised suspicions of a shared codebase or builder application between these two groups. Additionally, the ransom notes used by both gangs follow an identical format, saved as README.txt and opened via notepad, which further underscores a common operational protocol.

Targets and Attacks

HellCat, believed to be operated by notable members of the BreachForums community, has targeted prominent entities, exemplified by a significant attack on Telefónica in January 2025. Morpheus, on the other hand, maintains a lower profile as a semi-private Ransomware-as-a-Service (RaaS) operation. Despite launching a data leak site in December 2024, their activities trace back to September 2024. This resemblance in tactics suggests that affiliates might be leveraging common infrastructures for their attacks.

Similarities in Ransomware Payloads

The theory of a single affiliate behind both campaigns is further supported by the analysis of similar ransomware payloads uploaded to VirusTotal in December 2024. Though differing in victim-specific data and attacker details, the payloads exhibit identical behaviors. They focus on encrypting files and dropping a ransom note without changing file extensions or modifying system settings, strategies tailored to avoid detection.

Connection to Other Ransomware Groups

Interestingly, similarities have also been found between the notes from HellCat/Morpheus and those used by the Underground Team ransomware group, active since early to mid-2023. Despite the similarities in ransom note templates, the Underground Team’s ransomware payloads structurally and functionally differ from those of HellCat and Morpheus. This indicates no direct code sharing or partnership among the three groups but suggests a broader pattern of imitation or inspiration.

Implications of Increased Collaboration

The discoveries point to an increasingly interconnected yet fragmented ransomware ecosystem. The collaboration among various groups is partly driven by law enforcement disruptions of major RaaS operators, which has led to a densely packed and fiercely competitive marketplace. Affiliates are observed frequently shifting between RaaS platforms, reflecting the fluid and dynamic nature of the underground cybercrime environment.

Nation-State Actor Collaboration

Another alarming trend is the growing collaboration between nation-state actors and ransomware groups. These collaborations often involve sharing tactics, techniques, and procedures, further complicating efforts to combat cyber threats. The integration of advanced methods and strategies from nation-state actors into the arsenal of ransomware gangs poses a significant challenge for cybersecurity professionals.

Conclusion

Recent developments in cybersecurity have highlighted a worrisome trend: the appearance of two new ransomware groups, HellCat and Morpheus. These gangs seem to be collaborating closely, sharing both code and infrastructure, which suggests a higher level of coordination between them. Both HellCat and Morpheus emerged around mid to late 2024, and cybersecurity researchers have uncovered ransomware payloads from both groups that are nearly identical. This similarity indicates that they may be using the same resources or might even be affiliated with each other. This revelation is particularly concerning for security experts because it implies that these gangs could harness their combined expertise to create even more sophisticated and damaging ransomware attacks in the future. As these groups collaborate and evolve, the cybersecurity landscape becomes increasingly perilous, requiring even more robust defenses and proactive measures to protect sensitive data and systems. Therefore, organizations need to stay vigilant and continuously update their cybersecurity strategies to counteract these emerging threats effectively.

Explore more