Hellokitty

Description

HelloKitty is a ransomware family first observed in November 2020, named after a string found in its binary. It operates as a human-operated, big-game hunting ransomware, manually deployed after network intrusion and reconnaissance. HelloKitty uses a double-extortion model—encrypting files and threatening to leak stolen data on a Tor-based site. The malware encrypts files using AES-256 in CBC mode with RSA-2048 to protect keys, appending extensions such as .crypted or campaign-specific suffixes. Distribution typically occurs via compromised RDP credentials, phishing, or exploitation of known vulnerabilities. The group gained notoriety in February 2021 after attacking CD Projekt Red, the developer of The Witcher and Cyberpunk 2077, stealing source code for several games. Subsequent variants have targeted both Windows and Linux systems, including ESXi servers.

External Analysis
https://blog.sekoia.io/vice-society-a-discreet-but-steady-double-extortion-ransomware-group
https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html
https://soolidsnake.github.io/2021/07/17/hellokitty_linux.html
https://unit42.paloaltonetworks.com/emerging-ransomware-groups/
https://www.bleepingcomputer.com/news/security/linux-version-of-hellokitty-ransomware-targets-vmware-esxi-servers/
https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire
https://www.govinfosecurity.com/vice-society-ransomware-gang-disrupted-spar-stores-a-18225
https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself
https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf
https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html
https://blog.malwarebytes.com/threat-spotlight/2021/03/hellokitty-when-cyberpunk-met-cy-purr-crime/
https://blogs.vmware.com/security/2022/09/threat-report-illuminating-volume-shadow-deletion.html
https://id-ransomware.blogspot.com/2020/11/hellokitty-ransomware.html
https://labs.sentinelone.com/hellokitty-ransomware-lacks-stealth-but-still-strikes-home/
https://medium.com/proferosec-osm/static-unpacker-and-decoder-for-hello-kitty-packer-91a3e8844cb7
https://twitter.com/fwosar/status/1359167108727332868
https://unit42.paloaltonetworks.com/emerging-ransomware-groups/
https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape
https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group
https://www.bleepingcomputer.com/news/security/hellokitty-ransomware-is-targeting-vulnerable-sonicwall-devices/
https://www.cadosecurity.com/post/punk-kitty-ransom-analysing-hellokitty-ransomware-attacks
https://www.cisa.gov/uscert/ncas/alerts/aa22-249a
https://www.crowdstrike.com/blog/new-ransomware-variant-uses-golang-packer/
https://www.databreaches.net/babuk-re-organizes-as-payload-bin-offers-its-first-leak/
https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire
https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html
https://www.ic3.gov/Media/News/2021/211029.pdf
https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself
https://www.speartip.com/resources/fbi-hellokitty-ransomware-adds-ddos-to-extortion-arsenal/
Urls
Screen
http://3r6n77mpe737w4sbxxxrpc5phbluv6xhtdl5ujpnlvmck5tc7blq2rqd.onion
File servers
Screen
Chat servers
Screen
http://gunyhng6pabzcurl7ipx2pbmjxpvqnu6mxf2h3vdeenam34inj4ndryd.onion/
Admin servers
Screen