A new report out today from cybersecurity company SentinelOne Inc. is drawing attention to the evolving tactics of two prominent ransomware-as-a-service operations that have gained notoriety for targeting high-value sectors, including pharmaceuticals, manufacturing and government entities.

Ransomware-as-a-service groups operate by providing ready-made ransomware tools and platforms to affiliates or clients, who then undertake ransomware attacks themselves and share a percentage of the ransom profits with the RaaS operators. The two RaaS groups covered in the report, HellCat and Morpheus, were found to be leveraging identical payloads in their ransomware campaigns, pointing to a possible shared codebase or builder application.

HellCat, which first emerged on the scene in mid-2024, has focused on establishing itself as a reputable brand within the cybercrime economy, targeting high-value entities such as government organizations and large enterprises. Morpheus, operating more discreetly since late 2024, has similarly targeted critical industries, with ransom demands said to be reaching as high as $3 million.

SentinelOne’s researchers uncovered two identical payload samples uploaded to VirusTotal in December 2024. The payloads, associated with affiliates of both HellCat and Morpheus, were found to demonstrate identical code apart from victim-specific data and attacker contact details.

The samples employed the Windows Cryptographic Application Programming Interface for encryption to ensure that file contents were encrypted without altering file extensions. The particular approach, coupled with the exclusion of critical system files from encryption, indicates a calculated effort to minimize system disruption while maximizing leverage over victims.

The researchers also found that both HellCat and Morpheus deploy nearly identical ransom notes, with variations only in contact details and victim-specific instructions. The notes direct victims to log into attacker-controlled .onion portals — sites found exclusively on the dark web — using credentials provided in the ransom notes.

Interestingly, the report also notes that despite similarities to earlier ransomware operations, such as the Underground Team, there is no evidence of a direct link with previous groups. The structural and functional differences between the payloads analyzed suggest independent development paths, although the possibility of shared affiliates cannot be ruled out entirely.

The SentinelOne researches conclude by emphasizing the importance of understanding how ransomware groups share and source common tools to enhance detection and defense strategies. The findings demonstrate some of the tactics employed by ransomware groups, highlighting the crucial need for organizations to adopt robust cybersecurity measures.

Image: SiliconANGLE/DALL-E 3