The ransomware clones of HellCat & Morpheus. [Research Saturday]

Dave Bittner

You're listening to the Cyberwire network, powered by N2K. And now a message from our sponsor. Zscaler, the leader in cloud security. Enterprises have spent billions of dollars on firewalls and VPNs. Yet breaches continue to rise by an 18% year over year increase in ransomware attacks and a $75 million record payout in 2024. These traditional security tools expand your attack surface with public facing IPs that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your security. Zscaler 0Trust AI stops attackers by hiding your attack surface, making apps and IPs invisible. Eliminating lateral movement. Connecting users only to specific apps, not the entire network. Continuously verifying every request based on identity and context. Simplifying security management with AI powered automation and detecting threats using AI to analyze over 500 billion daily transactions. Hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI. Learn more@Zscaler.com Security hello everyone and welcome to the Cyberwires Research Saturday. I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems and protecting ourselves in our rapidly evolving cyberspace. Thanks for joining us.

Jim Walters

We've been following Hellcat for some time as per their association with breach forums and Shiny hunters and that whole extended universe. And so when they branched out into ransomware through the Hellcat brand, it was just kind of a natural progression research wise.

Dave Bittner

That's Jim Walters, senior threat researcher on Sentinel Labs research team. The research we're discussing today is titled Hellcat and Morpheus. Two brands, one payload. As ransomware affiliates drop identical code. Well, let's dig into what these actually are here. I mean, for folks who aren't familiar, how do you describe Hellcat and Morpheus in that context?

Jim Walters

I describe these as ransomware as a service operations, affiliate based ransomware operation. So in other words, if you want to get into ransomware and spreading it and profiting from it, one option that you have available to you is become part of an affiliate program. So you would join something like a lock bit or a ransom hub or a Hellcat or a Morpheus. These are services that take a cut of the profits but also simplify the creation of payloads. So in turn for lowering the barrier of entry, in other words, making it simpler to generate ransomware and track campaigns and deal with the modification side of it, they all do that for you. The Service does that for you. You just have a nice little portal where you manage everything, and then in turn, they get a share of whatever profits you might get from that ransomware activity. And Hellcat and Ransomware fall into this category, just as we see with things like I mentioned Lockbit, Ransom Hub and dozens and dozens of others.

Dave Bittner

Well, walk us through the discovery how you and the folks at Sentinel 1 discovered the connection between these two ransomware brands.

Jim Walters

Sure. Well, it was kind of, from a research standpoint anyway, a little bit unexciting. If you're familiar with the malware research universe, then you've probably heard the name Virus total before. And VirusTotal is just kind of a gigantic database. It's owned by Google, but it houses viruses and it provides different services tied to being that database. Right. So they catalog all the sort of metadata associated with those samples, but also they allow researchers to look for particular things or look for specific metadata, specific samples, just as a daily practice. So to kind of simplify it a bit, if I'm doing my daily hunt for new ransomware or whatever, I have YARA rules in different sort of nets cast within the virus total database. It's sort of a sandbox that we all kind of play out of in the research world. But so these things came first and foremost through happening upon samples in Virustotal. In other words, it wasn't like some tweet that hinted us off or whatever. This is just the samples happened to pop up within VirusTotal and they hit some rules that we were monitoring. And then upon further investigation, the samples looked more and more and more similar. And so as we dug into it, we're like, hey, these are kind of actually the same malware, but they're pointing in two different directions and pointing the victims in to two different places. And those two different places were. One of them was a Hellcat sample, which pointed the victim to the Hellcat victim portal. In other words, a website where they go to log in and then find out what they need to do to get their data back, how to pay all that stuff. You actually chat with the attacker, and the attacker tells you what you need to do to proceed, quote, unquote, recover from the attack. And then so. So one of those pointed to Hellcat's site, and then the other one pointed to Morpheus's site. Different, you know, different victim logins and naming. But the overlying malware was exactly the same. In other words, it was as if you had taken a malware, a piece of malware, and just changed the Victimologies to where one is Hellcat and one is Morpheus. And so, you know, if that makes sense, it's the exact same piece of malware, except they're pointing the victims to different places in the paint. The ransomware itself itself was obviously targeted towards two different victims. So one was a Morpheus victim, one was a Hellcat victim, but it's the same malware.

Dave Bittner

Do you suppose that this means you have a single group that's putting a couple different brands out there, or is it multiple affiliates that were using the same ransomware builder in their supply chain?

Jim Walters

From what it looks like, it looks like a single malware builder was used by these services and provided to affiliates and then those affiliate. But it just happened to be the same builder. In other words, because the ransomware was functional and the instructions for the victim were also functional. In other words, what the victim had to do in order to log in to the particular site that they were directed to for further instruction, that stuff was also functional as well. So you have two functional client side behaviors on the two different ransomware portals. So it doesn't so much look like just a rogue affiliate that is building their own stuff based on generally available ransomware builders and then slapping some names on it. This looks more like it's coming from higher up. In other words, you have a, an operation like either a Hellcat or Morpheus, and they're simply just distributing the same builder code to their affiliates. Or at least they were at the time.

Dave Bittner

Yeah, well, let's dig into some of the nuts and bolts here. I mean, how does someone typically find themselves a victim of these groups? And what happens once the ransomware is executed on someone's system?

Jim Walters

Yeah, well, with both of these, you know, it's pretty simple ransomware. You know, it doesn't self spread or do anything like that. It does require that it be executed in some way, and that the exact method of delivery and initial access methods, you know, is not 100% clear on these victims. Generally speaking, these usually get delivered into target environments through spear phishing or some manner of social engineering, lowering the target into actually going and pulling down and executing this payload, you know, as opposed to like some fancy zero day exploiter we have. In other words, we don't have any evidence that there was anything like super complex going on. We don't have any evidence to indicate that they were popping some crazy zero day in, in, in their edge infrastructure in order to deliver these payloads. So in all likelihood, it's most. It appears like this is just. These were delivered through, through, through spear phishing or other more simple methods. And we can, we, we kind of have a little more data on the Morpheus side of it with regards to the victim and attacker interaction. And again, it kind of supports the, you know, spear phishing or maybe like a drive by download or trojanized download sort of attack from like a watering hole, what have you. But it's not 100% clear how exactly they were.

Dave Bittner

We'll be right back. Hey, everybody, Dave here. Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers, so I decided to try Delete me. I have to say, DeleteMe is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data Privacy is protected. DeleteMe's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Deleteme now at a special discount for our listeners today. Get 20% off your delete me plan when you go to JoinDeleteMe.com N2K and use promo code N2K at checkout. The only way to get 20% off is to go to JoinDeleteMe.comN2K and enter code N2K at checkout. That's JoinDeleteMe.com N2k code N2K.

Jim Walters

Foreign.

Dave Bittner

Cyber threats are more sophisticated than ever. Passwords. They're outdated and can be cracked in a minute. Cybercriminals are intercepting SMS codes and bypassing authentication apps. While businesses invest in network security, they often overlook the front door, the login. Yubico believes the future is passwordless. Yubikeys offer unparalleled protection against phishing. For individuals, SMBs and enterprises, they deliver a fast, frictionless experience that users love. Yubico is offering N2K followers a limited buy one, get one offer. Visit yubico.com N2K to unlock this deal. That's Yubico. Say no to modern cyber threats. Upgrade your security today. Foreign Are they attempting to evade detection or security defenses here? Is there any attempt at stealth?

Jim Walters

Well, if we're, you know, in the context of these two particular malware samples, my short answer to that would be no. You know, in the grand scheme of analyzing malware and looking at, like, modern, you know, modern ransomware and, you know, who's got the most slick and sophisticated stuff Versus you know, who doesn't. This stuff is, it's not obfuscated. There's no packing or crypting going on. It's very simple. Well, you know, to back up a little bit. There's no stealth at all. There's, there's no attempt to sort of obfuscate what's in the actual malware samples and there's no advanced sort of evasion techniques. They're not trying to, you know, bypass anything fancy on the system. These are just straight up basic pieces of straight up basic Trojans really that require user interaction and they assume that whomever is executing it has privileges to do so. In other words, there's no like built in elevation or privilege escalation method. It's just really ultra basic malware.

Dave Bittner

Yeah. Your old smash and grab, right?

Jim Walters

Exactly. Yeah. As simple as it gets with no smoke and mirrors around it.

Dave Bittner

Right. Was there anything unusual or interesting, anything that stood out to you as you were going through your analysis here?

Jim Walters

The one weird thing, and again this, I, I, I, you know, it only stands out because it's an anomaly. I can't really speak to, you know, why they would do it this way or, or you know, what, you know, the driver was here. But usually with, you know, modern ransomware and even, you know, with ransomware in general, usually when, when files are encrypted, there's some sort of a visible indicator, right. You know, so like the extension changes, for example, or the full file name changes to a bunch of garbage. But usually you'll have something like an, to indicate that this stuff has been encrypted to just pick a random modern example. If you get Funclocker on your system, you're going to have all your files are going to be encrypted with a funclocker extension, that sort of thing. Or with Lockbit you get random sets of characters as extensions. With this, there was no change visibly to the file names or metadata, which again doesn't really mean much, but it does stand out as an anomaly. So your files are encrypted, but there's no visual indicator to say that if you try to open a text file, it'll be ciphertext instead of plain text.

Dave Bittner

I see. Are there any indications that they're specifically targeting anyone in particular, or is it just more of an opportunistic kind of thing? Do you have any view into that?

Jim Walters

So again, in the context of these samples, the only thing we can say is that on the Morpheus side you, they, it's looking specifically at virtual environments. You know, they were very interested in encrypting and exfiltrating or destroying really the VMDK files and any sort of virtual machines running on the system. So, you know, they are kind of looking upward, looking at more interesting sort of quote unquote sophisticated environments. You know, not necessarily just desktop systems, but they want to encrypt virtual environments and host systems that may be running multiple, multiple guest systems. So that we can see on the Morpheus side, on the Hellcat side, you know, the malware is the same, so we can assume the same. But if we also go by their rhetoric, they're, they're very interested in the quote, unquote, big game, you know, large, big splash kind of targets. Now that's, that's the rhetoric and that sort of differs from their real world activity, but they would have you believe that that's the goal.

Dave Bittner

Yeah. Interesting. So based on the information you all have gathered here, what are your recommendations for organizations to best protect themselves?

Jim Walters

As always, the best thing you can possibly do approach wise with ransomware is prevent. It's much, much, much harder to recover and restore, especially nowadays when things like backup and recovery processes are much more complicated than they were, say 10 years ago. But prevention is absolutely key. And there's a number of technological and security controls that allow you to do that, whether we're talking about traditional AV and EDR or more sophisticated sort of identity control and identity management type controls. But the main idea here is you need to approach ransomware strictly with a prevention mindset. And whatever you can do to prevent this stuff from executing on the systems, be it technological logical controls or user education, which is a biggie, that is the route that needs to be, that one needs to take. Because once you're encrypted, even if you recover and pay and restore your stuff, that's no guarantee of anything. That's theater. The data lives forever and it continues to get bought and sold in various avenues by the bad guys. So you never want to be in a position where you are encrypted. And if you are encrypted and you comply with the attacker demands, that actually means nothing at all. You know, that's not the end of your problem. So you, the advice is prevent. And again, kind of taking the vendor hat off for a minute. There's a whole lot of good vendors out there that help with that space. But also education is huge and just general hardening of systems is huge as well.

Dave Bittner

Our thanks to Jim Walter from Sentinel Labs for joining us. The research is titled Hellcat and two brands, one payload. As ransomware affiliates drop identical code, we'll have a link in the Show Notes. That's Research Saturday, brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the Show Notes or send an email to cyberwire2k.com this episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here next time.