Platform
Security & Compliance Automation Platform
UnderDefense MAXI is the solution to day-to-day cybersecurity problems of IT leaders and teams. It builds your 24/7 business protection together with you on the driver’s seat.
UnderDefense MAXI Platform
UnderDefense Secures Top Honor at the 2025 Global Infosec Awards
We’re proud of being a winner at the 2025 Global Infosec Awards…
Our AI
10-Point AWS Security Checklist for Executives
Quickly assess your cloud security posture with this executive-ready checklist covering IAM, monitoring, and compliance essentials.
Anti-Phishing Playbook
Your free PDF guide to spotting and stopping phishing attacks before they reach your team or data.
Services
24/7 Threat Detection & MAXImum Responsiveness
Our human-led MDR service combines expert insight and automation and AI for fast, precise threat response. Get full context in 2 minutes and cut MTTC to 15, staying ahead of ransomware and other attacks.
Calculate your MDR price
Pay only for the services you actually need, with no hidden costs.
Solutions
10-Point AWS Security Checklist for Executives
Quickly assess your cloud security posture with this executive-ready checklist covering IAM, monitoring, and compliance essentials.
Anti-Phishing Playbook
Your free PDF guide to spotting and stopping phishing attacks before they reach your team or data.
Company
Spot threats faster and respond smarter than tools alone
24/7 MDR and SOC services led by award-winning security experts. We act as an extension to your team or as a fully remote team, providing detailed threat insights and actionable responses to secure your environment immediately.
UnderDefense is an AWS Partner
We’re excited to announce that UnderDefense is now an AWS partner and available on AWS Marketplace…
Resources
Managed SOC at Your Service
Augment your SOC with 24/7 monitoring, threat detection, and expert response—without the overhead. Integrated with your existing tools, our SOCaaS stops attacks before they cause harm.
Managed SIEM Pricing Guide
Download a clear, practical overview of Managed SIEM pricing, featuring detailed breakdowns by service type, pricing model, real-world pros and cons, and key cost factors.
Partners
Managed SOC at Your Service
Augment your SOC with 24/7 monitoring, threat detection, and expert response—without the overhead. Integrated with your existing tools, our SOCaaS stops attacks before they cause harm.
Managed SIEM Pricing Guide
Download a clear, practical overview of Managed SIEM pricing, featuring detailed breakdowns by service type, pricing model, real-world pros and cons, and key cost factors.
Morpheus ransomware recovery team on standby
Morpheus emerged in December 2024 as a data-exfiltration-focused threat actor deploying a lightweight encryptor against VMware ESXi hosts, with early targets concentrated in the pharmaceutical and logistics sectors. Isolate all affected systems and contact UnderDefense immediately — do not attempt recovery or negotiation without expert guidance.
Average Mttc
Ransom-Free recovery rate
Avoided in ransom
Global availability
Systems restored
IR experts
Ransomware cases resolved
IR experience
Do NOT attempt any self-remediation, as it can trigger further encryption and destroy recovery points. Instead, follow these steps:
Contact us now for urgent ransomware response assistance, 24/7
Get Help Now
Accomplishments and recognitions, demonstrating our commitment to excellence and innovation.
Momentum Leader in MDR
Best Support in MDR & IR
Managed Detection and Response (MDR)
Top Cybersecurity Company 2025
Best Managed Detection and Response Service
#4 of 184 teams Splunk Boss of the SOC
Best Of Cybersecurity Awards for Q1 2025
AWS Partner
Splunk Manage Premier Partner
Like a crime scene, a ransomware attack must be preserved — tampering with encrypted files, attempting self-recovery, or engaging with attackers can destroy critical evidence and reduce your chances of recovery.
Taking the right steps in the first moments after a Morpheus attack can make a huge difference and help you make a full recovery. Request 24/7 Morpheus ransomware recovery services to decrypt your data and maximize your chances of restoring operations.
Morpheus victims exhibit specific IOCs including compromised credentials, network reconnaissance artifacts, and lateral movement via legitimate administrative tools. Encrypted file artifacts show unusual characteristics—files maintain original extensions while contents are encrypted, making detection less obvious than traditional ransomware. Watch for data staging in temporary directories, bulk exports to external drives, and connections to Tor-based leak sites.
Morpheus uses Windows Cryptographic API (CryptoAPI) with BCrypt algorithm for key generation and file encryption. Files undergo ChaCha-based encryption in a sophisticated manner that preserves file metadata and extensions, making visual inspection unreliable for detection.
Morpheus operates as a hybrid threat: files are encrypted to disrupt operations, but primary revenue comes from data exfiltration and double-extortion threats. The group leverages a RaaS model, offering affiliate opportunities for initial access brokers. Morpheus claims victims on a dedicated Tor-based data leak site.
The group uses dual pressure: encrypted systems force operational disruption while stolen data threats compel payment. Ransom notes guide victims to Tor sites where they can verify data theft and initiate negotiation. Demands typically escalate based on perceived victim financial capacity.
Primary focus on VMware ESXi hypervisors running virtual machine environments, particularly in European manufacturing and pharmaceutical sectors. Windows systems targeted secondarily. The group appears to favor large organizations with significant operational dependency on virtualized infrastructure
Morpheus deploys ransom notes titled "README_MORPHEUS.txt" or "MORPHEUS_DECRYPTION.txt" containing victim-specific payment instructions and Tor onion site URLs for negotiation. Notes emphasize data theft alongside encryption, increasing victim pressure to pay.
No public decryption tool is available for Morpheus. The malware uses strong cryptographic key exchange (asymmetric encryption via private keys held exclusively by attackers). Recovery requires either paying for a decryption key (not guaranteed to work) or restoring from backups.
Specific indicators include compromised accounts with unusual Tor traffic, BCrypt key generation artifacts, file encryption activity on ESXi hosts, and data staging in temporary locations prior to exfiltration.
File Extensions
Files maintain original extensions post-encryption; content is encrypted but filenames unchanged. This unusual behavior differentiates Morpheus from most ransomware variants.
Ransom Note Filenames
README_MORPHEUS.txt, MORPHEUS_DECRYPTION.txt, or MORPHEUS_NOTICE.txt appearing in encrypted directories and ESXi datastores.
Morpheus Hashes
Samples analyzed by researchers share code patterns with HellCat ransomware, suggesting potential code sharing between threat actors or affiliated development teams. Specific hash tracking requires binary analysis.
Morpheus Tools
Legitimate administrative tools: vSphere Client, ESXi CLI (esxcli), PowerShell, Cobalt Strike, Metasploit, data exfiltration utilities. Custom components include modified encryption routines derived from shared codebases with HellCat.
Most Common Red Flag (Commands)
ESXi host commands: esxcli vm process list, esxcli vm process kill, esxcli storage filesystem list; PowerShell commands: Get-Process, Stop-Process, Get-ChildItem on datastore mounts; evidence of bulk data exports to external staging areas.
Attack vector | % of Morpheus incidents | Notes |
VMware Credential Compromise | 40% | Weak vSphere admin credentials or stolen access tokens |
Phishing & Initial Access Brokers | 35% | Third-party attackers selling network access |
Unpatched ESXi Vulnerabilities | 15% | CVE-2021-21974, CVE-2021-21985 exploitation |
Supply Chain/Third-Party Access | 10% | Compromised partner vendor accounts |
Arrotex Pharmaceuticals (Australia) paid undisclosed ransom after data theft confirmed. PUS GmbH (Germany) engaged law enforcement, leading to prolonged negotiation and eventual settlement at reduced amount. European manufacturing firms targeted in Q1 2025 reported 3–8 week recovery timelines following restoration from backups.
Immediately isolate affected ESXi hosts from the network and powered-down virtual machines to halt encryption. Preserve forensic evidence of encryption activity and credential compromise. Reset all vSphere admin credentials and service accounts. Restore ESXi configurations and virtual machine files from verified clean backups predating the infection. Implement enhanced monitoring on ESXi host access and file modification activities.
Restore all encrypted virtual machines from clean backup snapshots. Verify backup integrity before restoration to confirm backups were not compromised. Rebuild user credentials and implement multi-factor authentication on all vSphere access. Deploy enhanced SIEM alerting for ESXi command execution and mass file encryption activity. Implement network segmentation to restrict ESXi host access to authorized administrators only. Consider deploying immutable backup solutions to prevent future encryption of recovery points.
Morpheus demands range from 5 BTC to 32 BTC (~$250K to $3M USD). Pharmaceutical and manufacturing firms face higher demands due to operational criticality and perceived ability to pay. Negotiated settlements have reduced initial demands by 40–60%.
10 reasons why you should choose the UnderDefense ransomware recovery consulting services:
Get Help Now
Morpheus is an emerging ransomware operation that combines file encryption with data exfiltration for double-extortion leverage. Active since December 2024, the group targets large enterprises with sophisticated infrastructure, particularly those running VMware ESXi virtualization. Technical analysis reveals code patterns shared with HellCat ransomware, suggesting potential collaboration or shared development resources. The group operates a RaaS model with affiliate programs and maintains a dedicated Tor-based leak site for victim shaming and data sale threats.
The Morpheus gang’s geographic origin is unconfirmed but operational patterns suggest Eastern European or Russian-speaking operators. Language in ransom notes and affiliate recruitment materials uses Russian terminology. The group collaborates with Initial Access Brokers (IABs) across multiple regions, indicating a distributed operational structure with members potentially across Eastern Europe, Russia, and adjacent regions.
Morpheus attacks proceed in stages: Initial access via phishing, credential theft, or IAB-purchased network access. Lateral movement through victim networks using compromised credentials and legitimate administrative tools (Cobalt Strike, PowerShell remoting). Reconnaissance of critical systems, particularly VMware ESXi hosts. Data exfiltration to attacker-controlled staging servers or cloud storage. Encryption of critical files and virtual machine datastores using CryptoAPI with BCrypt key generation. Ransom note deployment and victim notification via Tor site. Threats combine encryption disruption with data leak threats for maximum pressure.
Morpheus campaigns typically span 2–4 weeks from initial access to data exfiltration and encryption deployment. The group conducts thorough reconnaissance to identify ESXi infrastructure and critical data repositories. Encryption phase usually completes within 24–72 hours once lateral movement is established. Negotiation phase begins immediately upon victim discovery of ransom notes.
No public decryption tools exist for Morpheus. The malware uses strong asymmetric encryption with private keys retained exclusively by the threat actor. Decryption requires either paying the ransom (no guarantee of receipt) or restoring from clean backup copies. Some victims reported that paid ransom keys either failed to decrypt files or decrypted only partial data, suggesting potential deliberate key manipulation.
Payment does not guarantee complete decryption or data deletion. The group provides decryption keys for verified transactions, but key implementation failures have been reported. Leaked data may still be sold or published, particularly if negotiations fail. Payment increases likelihood of future targeting of the same organization and demonstrates financial capability to the threat actor ecosystem.
Implement multi-factor authentication on all vSphere and administrative accounts. Deploy EDR/XDR solutions on all systems with visibility into ESXi command execution. Segment VMware infrastructure to restrict host access to authorized administrators. Enforce strong credential policies and conduct regular credential audits. Implement data loss prevention (DLP) tools to monitor for bulk data exfiltration from critical systems. Maintain immutable backup copies separate from production infrastructure. Patch ESXi systems regularly against known CVEs (particularly CVE-2021-21974, CVE-2021-21985).
– Audit all VMware vSphere admin accounts and reset credentials – Deploy multi-factor authentication on all hypervisor access – Enable ESXi host logging and SIEM integration – Monitor for suspicious esxcli and vSphere CLI commands – Verify backup integrity and test restoration procedures – Segment ESXi infrastructure from general network – Implement data loss prevention on critical file repositories – Engage incident response and cyber insurance immediately upon detection
Morpheus shows strong preference for manufacturing, pharmaceutical, and healthcare organizations in Europe. The focus on VMware ESXi suggests targeting of enterprises with significant virtualized infrastructure. Organizations running large virtual machine environments are at elevated risk regardless of vertical, as Morpheus prioritizes operational criticality and recovery costs over sector-specific targeting.
If you suspect Morpheus intrusion: immediately isolate affected ESXi hosts from the network without powering down running virtual machines (data preservation). Preserve all forensic evidence including logs, memory dumps, and network traffic. Contact incident response, law enforcement (FBI/CISA), and cyber insurance provider. Reset all administrative credentials and service accounts. Assess backup integrity and begin restoration planning. Do not pay ransom without law enforcement and insurance consultation. Implement enhanced monitoring to detect ongoing data exfiltration.
