SentinelOne report highlights shared techniques between HellCat and Morpheus ransomware teams

A new report out right now from cybersecurity firm SentinelOne Inc. is drawing consideration to the evolving techniques of two distinguished ransomware-as-a-service operations which have gained notoriety for concentrating on high-value sectors, together with prescription drugs, manufacturing and authorities entities.

Ransomware-as-a-service teams function by offering ready-made ransomware instruments and platforms to associates or purchasers, who then undertake ransomware assaults themselves and share a share of the ransom earnings with the RaaS operators. The 2 RaaS teams lined within the report, HellCat and Morpheus, had been discovered to be leveraging similar payloads of their ransomware campaigns, pointing to a doable shared codebase or builder utility.

HellCat, which first emerged on the scene in mid-2024, has centered on establishing itself as a good model throughout the cybercrime financial system, concentrating on high-value entities akin to authorities organizations and enormous enterprises. Morpheus, working extra discreetly since late 2024, has equally focused important industries, with ransom calls for stated to be reaching as excessive as $3 million.

SentinelOne’s researchers uncovered two similar payload samples uploaded to VirusTotal in December 2024. The payloads, related to associates of each HellCat and Morpheus, had been discovered to display similar code other than victim-specific knowledge and attacker contact particulars.

The samples employed the Home windows Cryptographic Utility Programming Interface for encryption to make sure that file contents had been encrypted with out altering file extensions. The actual strategy, coupled with the exclusion of important system information from encryption, signifies a calculated effort to attenuate system disruption whereas maximizing leverage over victims.

The researchers additionally discovered that each HellCat and Morpheus deploy almost similar ransom notes, with variations solely in touch particulars and victim-specific directions. The notes direct victims to log into attacker-controlled .onion portals — websites discovered solely on the darkish internet — utilizing credentials supplied within the ransom notes.

Curiously, the report additionally notes that regardless of similarities to earlier ransomware operations, such because the Underground Staff, there isn’t any proof of a direct hyperlink with earlier teams. The structural and practical variations between the payloads analyzed recommend unbiased growth paths, though the potential of shared associates can’t be dominated out fully.

The SentinelOne researches conclude by emphasizing the significance of understanding how ransomware teams share and supply frequent instruments to boost detection and protection methods. The findings display a few of the techniques employed by ransomware teams, highlighting the essential want for organizations to undertake sturdy cybersecurity measures.

Picture: SiliconANGLE/DALL-E 3