An analysis of HellCat and Morpheus ransomware has revealed that affiliates are utilizing identical code for their payloads, differing only in victim-specific information and attacker details. Security researcher Jim Walter uncovered these findings in an examination of malware artifacts submitted to VirusTotal. Both ransomware strains ignore certain file extensions during encryption and do not alter the original file names. They use Windows Cryptographic API for encryption, generating keys with the BCrypt algorithm, with similar ransom note templates from another ransomware operation, Underground Team, which appeared in 2023.
Both HellCat and Morpheus ransomware operations employ identical code for their ransomware payloads, differing only in victim-specific data and attacker contact details.
An unusual characteristic of these Morpheus and HellCat payloads is that they do not alter the extension of targeted and encrypted files.
Collection
[
|
...
]