HELLOKITTY — RESURFACED?
NOTE: This is a year-long Research project in which I have spent a lot of time spotting and analyzing various samples of HelloKitty Ransomware since its inception.
INTRODUCTION
VICTIMOLOGY
HELLOKITTY DOMAINS- IN CONNECTION WITH 3 ONIONS
HELLOKITTY INTERNALS
HELLOKITTY — 2020 BATCH
CHRISTMAS 2020 BATCH — HELLOKITTY AS FIVEHANDS
HELLOKITTY — 2024 BATCH
HELLOKITTY TTPs: 2020 vs 2024
HELLOKITTY — DEPLOYED BY VARIOUS THREAT ACTORS
ATTRIBUTION: UKRAINE OR CHINA?
2025: STILL RELEVANT?
CONCLUSION
INTRODUCTION
HelloKitty Ransomware group has existed since late 2020 (October), which is forked from DeathRansom Ransomware Sample, coded in C++. In some samples, there is a strong presence of FiveHands Ransomware. It primarily targeted the Windows Environment, and later developed an encryptor for Linux ESXi samples, which was observed in July 2021.
Upon infection, CRYPTED , CRYPT or KITTY is appended as an extension to the encrypted file on the victim’s machine.
It is generally coded in Visual C++ and often uses UPX packing to compress the executable and makes it more harder for reversing.
Unlike other ransomware, HelloKitty does not drop its name on the Ransom Note. They start their Ransom Note by addressing the Victim Name on it like this:-
NOTE: On February 9, 2021, the group infected the popular Game Studio CD Projekt Red from Poland.
Most of the filenames kept for HelloKitty are: file and ionline.exe.
To read complete report, you can view here:
