Summary:
Over the past six months, ransomware activity has escalated significantly, marked by the rise of new groups such as FunkSec, Nitrogen, and Termite, alongside the reappearance of Cl0p and the introduction of LockBit 4.0. Within this period, Ransomware-as-a-Service platforms such as HellCat and Morpheus have gained traction. HellCat, emerging in mid-2024, is operated by prominent members of the BreachForums community, including individuals like Rey, Pryx, Grep, and IntelBroker. This group has targeted high-value entities, including government organizations, and has aggressively promoted its RaaS model as a reputable service within the cybercrime ecosystem. In contrast, Morpheus, which launched a data leak site in December 2024, operates as a semi-private RaaS with more subdued public branding and has primarily targeted industries such as pharmaceuticals and manufacturing.

Both HellCat and Morpheus affiliates have been observed employing nearly identical ransomware payloads, suggesting a shared codebase or builder application. Two specific payload samples, uploaded to VirusTotal on December 22 and December 30, 2024, displayed identical structures apart from victim-specific data and attacker contact details. The payloads, built as 64-bit PE files, use the Windows Cryptographic API for key generation and encryption. Notably, these payloads do not alter the extensions of encrypted files, a departure from the norm in most ransomware operations.

Execution of the ransomware requires specific arguments, such as a file path or the ww parameter. Analysis of an associated batch file uploaded on December 31, 2024, revealed its use in copying files from network shares to local directories before executing the ransomware. The payload’s behavior involves encrypting files without altering metadata, leaving ransom notes titled README.txt in the affected directories. These notes instruct victims to log in to the attackers’ .onion portals using provided credentials to negotiate ransom payments, with Morpheus affiliates demanding up to 32 BTC.

Security Officer Comments:
Although the ransom notes for HellCat and Morpheus share a template similar to those used by the Underground Team, another RaaS operation active since 2023, there is no conclusive evidence linking their payloads or operations. Differences in payload structure and functionality indicate distinct development efforts, though shared techniques and tools among affiliates cannot be ruled out. By identifying these commonalities, organizations can enhance their detection and response capabilities, gaining deeper insights into the operational strategies of these threat actors. Understanding these overlaps is critical as HellCat, Morpheus, and other RaaS platforms continue to compromise businesses and organizations worldwide.

Suggested Corrections:

IOCs:
https://www.sentinelone.com/blog/he...as-ransomware-affiliates-drop-identical-code/

Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.

Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.

Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?

Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.

Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.

Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails. Multi-factor authentication can help prevent malicious access to sensitive services.

Link(s):
https://www.infosecurity-magazine.com/news/ransomware-shared-code-ransom-notes/