- My favorite Kindle accessory seriously upgraded my reading experience (and it only costs $20)
- This MagSafe charger that looks like a macaron is my new favorite travel accessory
- Does your kid need a new tablet? Get a kids' tablet for as low as $85 on Amazon
- This battery floodlight camera is just what my dark yard needed (and it's on sale)
- Samsung Galaxy S25 Ultra hands-on: One day later, I'm slowly becoming an AI phone believer
Ransomware Gangs Linked by Shared Code and Ransom Notes
Two recently identified ransomware gangs are using payloads that contain almost identical code, suggesting that the groups’ affiliates are using shared infrastructure.
The groups, named HellCat and Morpheus, emerged in mid to late 2024.
SentinelOne researchers also identified similarities in the tactics used by the two groups and the Underground Team ransomware-as-a-service (RaaS) operation.
The findings add to other observations around growing associations and overlap between different ransomware groups and their affiliates.
This trend comes as the ransomware ecosystem becomes more fragmented following law enforcement operations that have disrupted a number of high-profile RaaS groups, such as LockBit.
“HellCat and Morpheus payloads are almost identical and both are atypical to other ransomware families in leaving original file extensions in place after encryption,” the researchers wrote.
“While it is not possible to assess the full extent of interaction between the owners and operators of these ransomware services, it appears that a shared codebase or possibly a shared builder application is being leveraged by affiliates tied to both groups.”
Shared Approaches Between HellCat and Morpheus
The HellCat group emerged in mid-2024 and its primary operators are thought to be high-ranking members of the BreachForums community and its various factions.
The group has so far been focused on “big game” targets and government entities. HellCat actors were reportedly behind a ransomware attack on telco giant Telfonica in January 2025, resulting in over 236,000 lines of customer data being stolen.
Morpheus launched a data leak site in December 2024, although the group’s activity can be tracked back to at least September of that year.
The researchers described Morpheus as a “semi-private” RaaS, with its public branding efforts far less visible than Hellcat.
SentinelOne observed two similar ransomware payloads uploaded to VirusTotal on December 22 and 30, 2024. The only differences between the payloads were victim specific data and the attacker contact details.
The researchers said that based on this and other telemetry data, it is likely that the samples were uploaded by the same affiliate dabbling in both Morpheus and HellCat campaigns.
Both the payloads behaved in the same way upon execution. An unusual characteristic of them is that they do not alter the extension of targeted and encrypted files.
Additionally, there are no further system modifications made beyond the file encryption and ransom note drop. These characteristics are designed to avoid detection in target systems.
The HellCat and Morpheus ransom notes also share characteristics. The ransom notes are written to disk as _README_.txt. Once all available files, on all available volumes, have been processed, the ransomware note for both will be launched via notepad from the C:UsersPublic_README_.txt instance of the file.
Additionally, the notes follow the same template and flow, with the same quantity of sources listed across each note.
Similarities with Underground Team Ransomware
The researchers also identified similarities between these ransom notes templates and those used by the Underground Team group, which has been in operation since early to mid-2023.
Despite this similarity, the ransomware payloads analyzed from the Underground Team are structurally and functionally different from HellCat and Morpheus samples.
While it is possible there are affiliates that are tied to Underground Team and Hellcat/Morpheus, the researchers said there is insufficient evidence to support the notion that there is any sort of shared codebase or partnerships that involve all three groups.
Growing Overlap in Ransomware Ecosystem
The new findings provide further demonstration of the growing collaboration and shared tactics, techniques and procedures (TTPs) in the ransomware ecosystem.
This includes affiliates frequently moving between different RaaS operators, amid a more crowded marketplace.
In November 2024, SentinelLabs observed the CyberVolk hacktivist collective advertising its branded ransomware, which was derived from code developed by another hacktivist group.
The study also CyberVolk associations with other ransomware families, including helping to promote their operations.
Researchers have also observed growing collaboration between nation-state actors and ransomware groups, including shared TTPs and operations.
