Targeted HelloKitty Ransomware Attack

SentinelOne has published a blog post analyzing the HelloKitty ransomware family, which was recently leveraged in a targeted attack against CD Projekt Red.

HelloKitty appeared in late 2020 and is relatively rudimentary compared to other ransomware families. For example, when processes are being killed a CMD window is spawned in the foreground for each instance, alerting users to unexpected behaviour.

After processes are killed, encryption takes place using either an AES-256 and RSA-2048 combination or AES-128 and NTRU. Either way, no weaknesses in the encryption are known, making decryption without a key impossible. The ransom notes specifically reference the victim or their environment, indicating its targeted nature.

Victims are directed to a support portal on TOR where they can pay a ransom in order to receive a decryption program and key. The portal address was not active at the time of publication of this article.

According to the SentinelOne report HelloKitty may be easier to spot than other modern ransomware families, but upon execution it is no less dangerous. There are currently no known ‘weaknesses’ in the encryption routines, and there are no thirdy-party decrypters available for the HelloKitty ransomware. Therefore, the only true defense is prevention. While this family does not appear to be actively leaking victim data at the moment, that could change at any point, in addition to them choosing to adopt some of the more recent extortion methods that go along with ransomware (DDoS).

Actors behind the more recent campaign(s) are reportedly attempting to auction the CD Projekt data off in various ‘underground’ forums. At present this sale of this data does appear to be legitimate. Time will tell if additional victim data is dealt with in the same way.

To protect yourself against HelloKitty, make sure you are armed with a modern Endpoint Security platform, which is configured correctly and up to date. The SentinelOne Singularity Platform is fully capable of preventing and detecting all malicious behaviours associated with the HelloKitty ransomware family.

IOCs

SHA1
fadd8d7c13a18c251ded1f645ffea18a37f1c2de

SHA256
501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe

You can read the full report here – https://exchange.xforce.ibmcloud.com/collection/78d773e3e014982f6b10f60ac705950f

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: