Sentinel One has recently reported (https://www.sentinelone.com/blog/hellcat-and-morpheus-two-brands-one-payload-as-ransomware-affiliates-drop-identical-code/) about HellCat and Morpheus ransomware samples, which are code-wise identical but identify themselves as distinct variants in their ransomware notes.
At Threatray, we continuously track new malware samples using our code search engine to identify relationships based on code reuse between new and existing malware. Through this process, we discovered two ransomware samples that identify themselves as AidLocker and Frag in their ransomware messages. Our key findings are:
- Like the HellCat/Morpheus pair, the AidLocker/Frag pair is code-wise identical but features different branding in their ransom messages.
- AidLocker/Frag share substantial code with HellCat/Morpheus, confirming they are variants of the same family.
The following sections detail the similarities and differences between AidLocker/Frag and HellCat/Morpheus. Our analysis compares the AidLocker and HellCat samples specifically, since Frag is identical to AidLocker and Morpheus is identical to HellCat.
Shared capabilities
The samples are relatively small, with HellCat containing 10 functions and AidLocker containing 16 functions.
The samples share 5 core functions that handle file enumeration and encryption. Below, we examine these functions, with AidLocker shown on the left and HellCat on the right in the screenshots.
Encryption Setup Function
This function handles the import of an RSA public key and configures both AES and RSA cryptographic providers.
File Encryption
Both samples use BCrypt for encryption.
Thread management
This function is designed to execute within a thread and manage the file encryption process, it is identical in both cases.
File iteration
This function iterates through directories, skipping those listed in the exclusion list. The logic is identical for AidLocker and HellCat, though they use different exclusion lists.
HellCat excludes only "\Windows\System32" while AidLocker implements a more comprehensive exclusion list shown below.
Ransomware note creation
The ransom note generation method is identical between the variants, with the only difference being the filename: AidLocker creates "README.txt" while HellCat creates "_README_.txt".
Distinct capabilities
Let’s have a look at some implementation differences between AidLocker and HellCat.
AidLocker adds the .aid666 extension to encrypted files, while HellCat does not modify file extensions during encryption.
Additionally, AidLocker has a much larger list of file extensions it won't encrypt compared to HellCat.
Unlike HellCat, if AidLocker attempts to access the file with both read and write permissions (0xC0000000) and encounters a failure, it will retry with read-only permission (0x80000000). Subsequently, it will terminate any processes that currently hold the file open. This action is taken to eliminate any potential file locks that might hinder modification during the encryption procedure.
AidLocker uses ‘wmic shadowcopy delete’ to destroy shadow copies, while HellCat is lacking this functionality.
Finally, there is a difference in command-line argument handling. AidLocker enforces strict argument checking, requiring at least two specific parameters (-p, -d, -f, -del, or -h). HellCat, on the other hand, is more permissive and will execute with any two arguments.
Conclusions
A key question remains about the relationship between the HellCat/Morpheus and AidLocker/Frag variants. Currently, we cannot draw definitive conclusions about their connection.
Based on the functional differences described above, AidLocker appears to be a more sophisticated version of HellCat. This may suggest that AidLocker/Frag is a more recent, improved iteration of HellCat/Morpheus; though alternatively, HellCat/Morpheus could be a simplified, new version of AidLocker/Frag.
The table below summarizes the key differences between the main malware families. The "TimeDateStamp" information (assuming it wasn't manipulated) indicates that Frag first appeared in November 2024, followed by AidLocker, and then HellCat and Morpheus. This might indicate that HellCat/Morpheus is the most recent and active version. However, our friends at Infoguard shared with us — while we were finishing this article — that they observed AidLocker (sha256: c4b75817add2d8ecfe84c4f8d622fd18c7b70c3d834993c7db9e7293c8c76e8f) in an incident at the end of January 2025, proving that AidLocker remains active in the wild. This sample has a TimeDateStamp of 2025-01-11T21:54:45, suggesting it was built shortly before deployment.
All the variations we see between the samples could also be well explained by different variants generated by the same builder.
