Security researchers and cybersecurity experts have recently uncovered new variants of the notorious HelloKitty ransomware, signaling its resurgence with attacks targeting Windows, Linux, and ESXi environments.
HelloKitty ransomware, initially appearing in October 2020 as a fork of DeathRansom, has evolved significantly in its encryption methods.
The ransomware now embeds an RSA-2048 public key, which is hashed through SHA256 to serve as a unique victim ID.
.png
)
Each file encrypted uses a 32-byte seed value derived from the CPU timestamp, employing Salsa20 for initial encryption, followed by AES for file encryption.
Post-encryption, files receive an extension like CRYPTED, CRYPT, or KITTY, along with appended metadata for decryption, including an RSA-encrypted file size, a magic value, and the AES key.
Some variants utilize an NTRU public key, showcasing the ransomware’s adaptability in encryption techniques.
In terms of network expansion, HelloKitty has not only targeted more platforms but also expanded its geographical reach.
Initial samples from 2020 primarily focused on Windows operating systems.
However, by July 2021, the group developed an encryptor for Linux ESXi environments, showcasing their intent to broaden their attack vectors.
Geographical Distribution and Attribution Ambiguity
The latest samples of HelloKitty have surfaced in various countries, notably from China, which stirs debate on the group’s origins.
While U.S. cybersecurity agencies have attributed its operations to Ukraine, several artifacts point towards a stronger Chinese influence, including the use of Chinese language in internal files, connections to Chinese IP addresses, and initial uploads of new samples from China.
According to the Report, this blend of evidence suggests either a deliberate obfuscation of origins or a multinational operation.
For instance, one of the internal files revealed the presence of Chinese entities like QQ, SkyCN, and Mandarin characters in filenames, alongside an absence of Chinese companies on the leaked victim list.
Additionally, a sample identified in 2024 was connected to a C2 server linked to CHINANET, an IP range that has been historically associated with Chinese cyber operations such as the Evasive Panda.
TTPs Evolution: 2020 vs 2024
Analyzing the HelloKitty ransomware’s tactics, techniques, and procedures (TTPs) shows a marked evolution since its inception:
- 2020 Samples: These primarily focused on basic operations like querying shadow volumes to knock out backups, process injections, WMI for persistence, and OS exhaustion flood. The infection chain involved disabling security services by terminating processes using TaskKill, and embedding a root certificate for stealth.
- 2024 Samples: There is a noticeable shift towards more aggressive system reconnaissance, including querying registry, system info discovery, and location discovery. The group has refined its approach, removing certain steps like root certificate installation, possibly to evade modern endpoint security solutions, which have since become more adept at detecting such activities.
Victimology and Deployment by Threat Actors
HelloKitty’s victimology, despite not being as expansive as some other groups, has been notable.
The group has targeted a diverse set of victims, including:
- CD PROJEKT: In February 2021, the group famously compromised the gaming studio CD Projekt Red in Poland, leveraging the encryption of game development files for ransom.
- CEMIG Powerplant: In December 2020, the ransomware affected a Brazilian power plant, highlighting critical infrastructure as a target.
- Healthcare Services: There have been incidents affecting healthcare providers in the UK and IT Services in France, showcasing a broad range in target sectors.
Additionally, HelloKitty ransomware has been deployed by various threat actors, including Vice Society affiliates, UNC2447, Lapsus$, and Yanluowang, indicating its popularity and adaptability in the ransomware-as-a-service (RaaS) ecosystem.
Despite no active dark web presence currently, the uncovering of a new sample (MD5:a831d838a924ea135c3e0f315f73fcd3) uploaded from China, which lacks an onion link but shares code similarities with known ransomware, suggests that the group is recalibrating its operations.
With approximately a 5% match with RingQ Malware, the creators might be in the process of developing new infrastructure, potentially gearing up for a more aggressive campaign.
The resurgence of HelloKitty, now equipped with sophisticated encryption, diverse targeting across different platforms, and an ambiguous geographical footprint, presents a formidable challenge for cybersecurity professionals.
The group’s evolution from its 2020 variant to the refined and more evasive 2024 version highlights the relentless innovation in cybercrime. As ransomware continues to evolve, so must the strategies employed to detect, respond to, and mitigate these advanced threats.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
