Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label HelloKitty. Show all posts
Ransomware group
Cyber Attacks Gookee ransomware HelloKitty HelloKitty ransomware Ransomware group

Threat Actor Release HelloKitty Ransomware Source Code on Hacking Forum

A threat actor recently posted the entire source code for the first version of the HelloKitty ransomware on Russian-language hacking forum, while claiming to be working on a new, more potent encryptor.

Security expert 3xp0rt initially noticed the leak when he saw threat actor kapuchin0 distributing the "first branch" of the HelloKitty ransomware encryptor.

While the source code was released by someone with the username kapuchino, the threat actor was also seen using the alias ‘Gookee.’

Gookee has previously been linked by security researchers with malware and hacking activity, where the threat actors were attempting to acquire access of Sony Network Japan in 2020. The attack was a Ransomware-as-a-Service (RaaS) operation, dubbed as ‘Gookee Ransomware,’ which was putting malware source code for sale on an underground forum.

According to 3cport, kapuchin0/Gookee is the developer of the HelloKitty ransomware, who claims to be developing, “a new product and much more interesting than Lockbit.”

The leaked hellokitty.zip archive include the HelloKitty encryptor and decryptor, as well as the NTRUEncrypt library that this variant of the ransomware utilizes to encrypt files, are built using a Microsoft Visual Studio solution.

Furthermore, ransomware expert Micheal Gillespie confirms that the leaks codes are in fact the real source code for HelloKitty, used initially when their ransomware operation launched in 2020.

What is HelloKitty Ransomware Operation?

HelloKitty is a human-operated ransomware operation that first came to light in November 2020 after its victims posted about it on the BleepingComputer forums. The FBI later released a PIN (private industry notification) on the group in January 2021. 

The ransomware group is known for conducting corporate network hacks, stealing data, and encrypting systems. In double-extortion machines, when threat actors promise to release data if a ransom is not paid, the encrypted files and stolen data are then used as leverage.

HelloKitty is known for a number of attacks and has been utilized by other ransomware operations. One of the most high-profile attack conducted by HelloKitty is the one on CD Product Red executed in February 2021. Threat actors claimed to have stolen the source code for Cyberpunk 2077, Witcher 3, Gwent, and other games during this attack, which they said were sold later.  

Read more »
Security Experts
DDOS Attack Extortion Scheme HelloKitty malware Ransomware Security Experts

FBI: HelloKitty Ransomware Adds DDoS to Extortion Techniques

 

The FBI has released a flash notice to private industry partners, alerting them that the HelloKitty ransomware gang (also known as FiveHands) has incorporated distributed denial-of-service (DDoS) attacks into its toolbox of extortion techniques. 

The FBI claimed in a notice coordinated with the Cybersecurity and Infrastructure Security Agency (CISA) that the ransomware group would use DDoS assaults to take down its victims' official websites if they didn't pay the ransom. 

HelloKitty is also notorious for collecting and encrypting sensitive data from victims' infected servers. Later, the stolen files are then used as leverage to compel the victims to pay the ransom under the fear of the stolen material being leaked publicly on a data leak site. 

The FBI stated, "In some cases, if the victim does not respond quickly or does not pay the ransom, the threat actors will launch a Distributed Denial of Service (DDoS) attack on the victim company's public-facing website. Hello Kitty/FiveHands actors demand varying ransom payments in Bitcoin (BTC) that appear tailored to each victim, commensurate with their assessed ability to pay it. If no ransom is paid, the threat actors will post victim data to the Babuk site payload.bin) or sell it to a third-party data broker." 

To breach the targets' networks, the group's ransomware operators would utilize a variety of tactics, including compromised credentials and newly fixed security flaws in SonicWall products (e.g., CVE-2021-20016, CVE-2021-20021, CVE-2021-20022, CVE-2021-2002). 

About HelloKitty 

HelloKity is a ransomware operation created by people operating since November 2020 and was first discovered by the FBI in January 2021. The group is well known for breaking into and encrypting CD Projekt Red's networks and claiming to have stolen the source code for Cyberpunk 2077, Witcher 3, Gwent, and other games in February. 

The ransomware gang has also been seen utilizing a Linux version that targets VMware's ESXi virtual machine infrastructure since at least July 2021. They're just one of several ransomware gangs targeting Linux systems after enterprises switched to virtual machines for more effective resource use and easier device management. Ransomware operators may now encrypt numerous servers concurrently with a single order by targeting their virtual machines, saving time and effort. 

HelloKitty rapidly expanded its activity in July and August, shortly after commencing to use the Linux variant in assaults, as per submissions made by their victims on the ID Ransomware site. The HelloKitty ransomware, or versions of it, has also gone by the names DeathRansom and Fivehands. 

In its advisory, the FBI also included an extensive list of indications of compromise (IOCs) to assist cybersecurity experts and system administrators in preventing attacks organized by the HelloKitty ransomware.
Read more »
Subscribe to: Posts (Atom)