CyberWire Daily - The ransomware clones of HellCat & Morpheus. [Research Saturday]
Episode Date: March 15, 2025Jim Walter, Senior Threat Researcher on SentinelLabs research team, to discuss their work on "HellCat and Morpheus | Two Brands, One Payload as Ransomware Affiliates Drop Identical Code." Over the pa...st six months, new ransomware groups like FunkSec, Nitrogen, and Termite have emerged, while established threats such as Cl0p and LockBit 4.0 have resurfaced. Two prominent Ransomware-as-a-Service (RaaS) operations, HellCat and Morpheus, have gained traction, with research indicating that affiliates of both are using nearly identical ransomware payloads. Despite similarities in their encryption techniques and ransom notes, there is no conclusive evidence linking HellCat and Morpheus to the Underground Team, though shared tools or affiliates may be involved. The research can be found here: HellCat and Morpheus | Two Brands, One Payload as Ransomware Affiliates Drop Identical Code Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
And now a message from our sponsor Zscaler, a leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue
to rise by an 18% year-over-year increase in ransomware
attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs that
are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security. Zscaler Zero Trust plus AI stops attackers
by hiding your attack surface, making apps and IPs invisible, eliminating lateral movement,
connecting users only to specific apps, not the entire network, continuously verifying
every request based on identity and context,plifying security management with AI-powered automation
and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security. Hello everyone and welcome to the CyberWires Research Saturday.
I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down
the threats and vulnerabilities, solving some of the hard problems and protecting ourselves in a rapidly
evolving cyberspace.
Thanks for joining us.
We've been following Hellcat for some time as per their association with Breach forums
and Shiny Hunters and that whole extended universe.
And so when they branched out into ransomware
through the Hellcat brand,
it was just kind of a natural progression research-wise.
That's Jim Walter, Senior Threat Researcher
on Sentinel Labs' research team.
The research we're discussing today
is titled Hellcat and Morpheus, two brands, one payload,
as ransomware affiliates drop identical code.
Well, let's dig into what these actually are here.
I mean, for folks who aren't familiar,
how do you describe Hellcat and Morpheus? In that context, I would describe these as ransomware as a
service operations, affiliate-based ransomware operations. So in other words,
if you want to get into ransomware and spreading it and profiting from it, one
option that you have available to you
is become part of an affiliate program.
So you would join something like a lock a bit
or a ransom hub or a Hellcat or Morpheus.
These are services that take a cut of the profits
but also simplify the creation of payloads.
So in turn for lowering the barrier of entry,
in other words, making it simpler to generate
ransomware and track campaigns and deal with the modification side of it, they all do that
for you.
The service does that for you.
You just have a nice little portal where you manage everything.
And then in turn, they get a share of whatever profits you might get from that ransomware
activity. I mean, Hellcat and ransomware fall into this category, just as we see with things like
I mentioned Lockbit, Ransom Hub, dozens and dozens of others.
Well, walk us through the discovery, how you and the folks at Sentinel One discovered the
connection between these two ransomware
brands?
Sure.
Well, it was kind of from a research standpoint anyway, a little bit unexciting.
If you're familiar with the malware research universe, then you've probably heard the name
Virus Total before.
And Virus Total is just kind of a gigantic database.
It's owned by Google, but it houses viruses.
And it provides different services tied to being that database, right?
So they catalog all the sort of metadata associated with those samples.
But also, they allow researchers to look for particular things or look for specific metadata
or specific samples just as a daily practice.
So to kind of simplify it a bit, if I'm doing my daily hunt for new ransomware or whatever,
I have YAR rules in different sort of nets cast within the VirusTotal database.
It's sort of a sandbox that we all kind of play out
of in the research world.
But so these things came first and foremost
through happening upon samples in VirusTotal.
In other words, it wasn't like some tweet that hinted us off or whatever.
This is just the samples happened to pop up
within virus total and they hit some rules
that we were monitoring.
And then upon further investigation,
the samples looked more and more and more similar.
And so as we dug into it, we're like,
hey, these are kind of actually the same malware,
but they're pointing in two different directions
and pointing the victims to two different places.
And those two different places, one of them was a Hellcat sample, which pointed the victim
to the Hellcat victim portal.
In other words, a website where they go to log in and then find out what they need to
do to get their data back, how to pay, all that stuff.
You actually chat with the attacker and the attacker tells you what you need to do to get their data back, how to pay, all that stuff. You actually chat with the attacker and the attacker tells you what you need to do to proceed, quote-unquote,
recover from the attack. And then, so one of those pointed to Hellcat's site and then the other one
pointed to Morpheus's site, different victim logins and naming, but the overlying malware was exactly the same.
In other words, it was as if you had taken a malware, a piece of malware and just changed
the victimologies to where one is Hellcat and one is Morpheus.
So if that makes sense, it's the exact same piece of malware except they're pointing
to victims to different places in the paint the now the ransomware itself
You know was obviously targeted towards two different victims. So one was a Morpheus victim one was a Hellcat victim, but it's the same malware
Do you suppose that this means you have a single group that's putting a couple different brands out there or or is it?
multiple affiliates that were using the same ransomware builder in their supply chain?
From what it looks like it looks like a single malware builder was used by these
services and provided two affiliates.
And then those affiliates,
but it just happened to be the same builder.
In other words, because the ransomware was functional
and the instructions for the victim were also functional.
In other words, what the victim had to do
in order to log in to the particular site
that they were directed to for further instruction,
that stuff was also functional as well.
So you have two functional client side behaviors
on the two different ransomware portals.
So it doesn't so much look like just a rogue affiliate
that is building their own stuff based on
generally available ransomware builders
and then slapping some names on it.
This looks more like it's coming from higher up.
In other words, you have an operation
like either a Hellcat or Morpheus,
and they're simply just distributing
the same builder code to their affiliates,
or at least they were at the time.
Yeah.
Well, let's dig into some of the nuts and bolts here.
I mean, how does someone typically find themselves a victim of these groups?
And what happens once the ransomware is executed on someone's system?
Yeah, well, with both of these, it's pretty simple ransomware.
It doesn't self-spread or do anything like that.
It does require that it be executed in some way.
And then the exact method of delivery
in initial access methods is not 100% clear on these victims.
Generally speaking, these usually
get delivered into target environments through spearfishing
or some manner of social engineering, lowering the target into actually going and pulling
down and executing this payload, as opposed to some fancy zero-day exploiter.
In other words, we don't have any evidence that there was anything super complex going
on.
We don't have any evidence to indicate that they were popping some crazy zero day in their edge infrastructure
in order to deliver these payloads. So in all likelihood, it appears like these were
delivered through spearfishing or other more simple methods.
And we kind of have a little more data on the
Morpheus side of it with regards to the victim and attacker interaction. Again, it supports the
spearfishing or maybe a drive-by download or trojanized download attack from a watering hole, what have you, but it's not 100% clear how exactly they were delivered.
We'll be right back.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data
brokers.
I finally have peace of mind knowing my data privacy is protected.
DeleteMe's team does all the work for you with detailed reports so you know exactly
what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for our listeners, today get 20% off your DeleteMe plan when
you go to joindelete dot com slash n 2k
and use promo code n 2k at checkout the only way to get 20% off is to go to join
delete me dot com slash n 2k and enter code n 2k at checkout that's join delete
me dot com slash n 2k code n 2k 2K, code N2K.
Cyber threats are more sophisticated than ever.
Passwords?
They're outdated and can be cracked in a minute.
Cyber criminals are intercepting SMS codes and bypassing authentication apps.
While businesses invest in network security, they often overlook the front
door, the login. Ubico believes the future is passwordless.
Ubiquis offer unparalleled protection against phishing for individuals, SMBs
and enterprises. They deliver a fast, frictionless experience that users love.
Ubico is offering N2K followers a limited buy one get one offer. Visit ubico.com slash
N2K to unlock this deal. That's Y-U-B-I-C-O. Say no to modern cyber threats. Upgrade your
security today.
Are they attempting to evade detection or security defenses here? Is there any attempt at stealth?
In the context of these two particular malware samples, my short answer to that would be
no.
In the grand scheme of analyzing malware and looking at modern ransomware and who's
got the most slick and sophisticated stuff versus who doesn't, this stuff is not obfuscated.
There's no packing or encrypting going on. It's very simple. Well, to back up a little
bit, there's no stealth at all. There's no attempt to sort of obfuscate
what's in the actual malware samples.
And there's no advanced sort of evasion techniques.
They're not trying to bypass anything fancy on the system.
These are just straight up basic pieces of,
straight up basic Trojans really,
that require user interaction,
and they assume that whomever is executing it
has privileges to do so.
In other words, there's no built-in elevation
or privilege escalation method.
It's just really ultra-basic malware.
Yeah, your old smash and grab, right?
Exactly, yeah.
As simple as it gets with no smoke and mirrors around it.
Right.
Was there anything unusual or interesting,
anything that stood out to you
as you were going through your analysis here?
The one weird thing, and again,
it only stands out because it's an anomaly.
I can't really speak to why they would do it this way
or what the driver was here.
But usually with modern ransomware and even with ransomware in general,
usually when files are encrypted,
there's some sort of a visible indicator.
So like the extension changes, for example,
or the full file name changes to a bunch of garbage.
But usually you'll have something like an extension of change to
indicate that this stuff has been encrypted.
Right? So like, you know, to just pick a random modern
example, like if you get funk locker on your system, you're
going to have all your files are going to be encrypted with a
funk locker extension. You know, that sort of thing. Or with
lock bit, you get like random sets of characters as
extensions.
With this, there was no change visibly to the file names or metadata, which again doesn't
really mean much, but it does see it out as an anomaly.
So your files are encrypted, but there's no visual indicator to say that.
If you try to open a text file, it'll be ciphertext instead of plaintext.
I see.
Are there any indications that they're specifically
targeting anyone in particular,
or is it just more of an opportunistic kind of thing?
Did you have any view into that?
So again, in the context of these samples,
the only thing we can say is that on the Morpheus side,
of these samples, the only thing we can say is that on the Morpheus side, it's looking specifically at virtual environments. They were very interested in encrypting and exfiltrating
or destroying really the VMDK files and any sort of virtual machines running on the system.
So they are kind of looking upward,
looking at more interesting,
sort of quote unquote, sophisticated environments.
Not necessarily just as top systems,
but they want to encrypt virtual environments
and host systems that may be running multiple guests systems.
So that we can see on the Morpheus side.
On the Hellcat side,
you'll get the malware's the same,
so we can assume the same,
but if we also go by their rhetoric,
they're very interested in the quote unquote big game,
large, big splash kind of targets.
Now, that's the rhetoric,
and that sort of differs from their real world activity,
but they would have you believe that that's the goal.
Yeah, interesting.
So based on the information you all have gathered here,
what are your recommendations for organizations
to best protect themselves?
As always, the best thing you can possibly do
approach-wise with ransomware is prevent.
You know, it's much, much, much harder
to recover and restore,
especially nowadays when things like backup
and recovery processes are much more complicated
than they were, say, 10 years ago.
But prevention is absolutely key.
And there's a number of technological
and security controls that allow you to do that,
whether we're talking about traditional AP and EDR
or more sophisticated sort of identity control
and identity management type controls.
But the main idea here is you need to approach ransomware
strictly with a prevention mindset
and whatever you can do to prevent this stuff
from executing on the systems,
be it technological logical controls or user education,
which is a biggie,
that is the route that needs to be,
that one needs to take.
Because once you're encrypted,
even if you quote unquote recover and pay
and restore your stuff,
that's no guarantee of anything.
That's theater.
The data lives forever and it continues to get bought
and sold in various avenues by the bad guys.
So you never want to be in a position where you are encrypted.
And if you are encrypted and you comply with the attacker demands, that actually means nothing at all.
That's not the end of your problem.
So the advice is prevent.
And again, kind of taking the vendor hat off for a minute,
there's a whole lot of good vendors out there
that help with that space, but also education is huge
and just general hardening of systems is huge as well.
["Sentinel Labs"]
Our thanks to Jim Walter from Sentinel Labs for joining us.
The research is titled Hellcat and Morpheus.
Two brands, one payload as ransomware affiliates drop identical code.
We'll have a link in the show notes.
That's Research Saturday brought to you by N2K Cyberwire.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review
in your favorite podcast app.
Please also fill out the survey and the show notes
or send an email to cyberwire at n2k.com.
This episode was produced by Liz Stokes.
We're mixed by Elliot Pelsman and Trey Hester.
Our executive producer is Jennifer Iben.
Peter Kielpe is our publisher, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next time. you