SentinelOne has published a blog post analyzing the HelloKitty ransomware family, which was recently leveraged in a targeted attack against CD Projekt Red.
HelloKitty appeared in late 2020 and is relatively rudimentary compared to other ransomware families. For example, when processes are being killed a CMD window is spawned in the foreground for each instance, alerting users to unexpected behaviour.
After processes are killed, encryption takes place using either an AES-256 and RSA-2048 combination or AES-128 and NTRU. Either way, no weaknesses in the encryption are known, making decryption without a key impossible. The ransom notes specifically reference the victim or their environment, indicating its targeted nature.
Victims are directed to a support portal on TOR where they can pay a ransom in order to receive a decryption program and key. The portal address was not active at the time of publication of this article.
According to the SentinelOne report HelloKitty may be easier to spot than other modern ransomware families, but upon execution it is no less dangerous. There are currently no known ‘weaknesses’ in the encryption routines, and there are no thirdy-party decrypters available for the HelloKitty ransomware. Therefore, the only true defense is prevention. While this family does not appear to be actively leaking victim data at the moment, that could change at any point, in addition to them choosing to adopt some of the more recent extortion methods that go along with ransomware (DDoS).
Actors behind the more recent campaign(s) are reportedly attempting to auction the CD Projekt data off in various ‘underground’ forums. At present this sale of this data does appear to be legitimate. Time will tell if additional victim data is dealt with in the same way.
To protect yourself against HelloKitty, make sure you are armed with a modern Endpoint Security platform, which is configured correctly and up to date. The SentinelOne Singularity Platform is fully capable of preventing and detecting all malicious behaviours associated with the HelloKitty ransomware family.
You can read the full report here – https://exchange.xforce.ibmcloud.com/collection/78d773e3e014982f6b10f60ac705950f