HellCat and Morpheus | Two Brands, One Payload as Ransomware Affiliates Drop Identical Code www.sentinelone.com/blog/hell…

The previous six months have seen heightened activity around new and emerging ransomware operations.

Within this period of accelerated activity, the Ransomware-as-a-Service offerings HellCat and Morpheus have gained additional momentum and notoriety. Operators behind HellCat, in particular, have been vocal in their efforts to establish the RaaS as a ‘reputable’ brand and service within the crimeware economy.

As a result of this recent activity, we analyzed payloads from both HellCat and Morpheus ransomware operations. In this post, we discuss how affiliates across both operations are compiling payloads that contain almost identical code. We take a high-level look at two samples in particular and examine their characteristics and behavior.