Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label HelloKitty. Show all posts

Revived Ransomware HelloKitty Returns with Rebranding, Leaks CD Projekt and Cisco Data

 

HelloKitty, a notorious ransomware that became defunct in late 2023 after its developer leaked both the builder and source code on a hacker forum, has resurfaced under a new name and a fresh data leak website. According to reports from BleepingComputer, the ransomware and its associated dark web portal have been rebranded as HelloGookie, likely in reference to the developer and operator, Gookee/kapuchin0, who was behind the original HelloKitty ransomware.

Originally created and maintained by a hacker known as Guki, HelloKitty was infamous for its targeting of large organizations and corporations since its establishment in late 2020. One of its notable breaches occurred in February the following year when it infiltrated CD Projekt Red, a renowned Polish game studio famous for titles like the Witcher series and Cyberpunk 2077. 

The Witcher series alone has sold over 50 million copies globally, while Cyberpunk 2077 boasts approximately 25 million sales. Both games, being open-world RPGs, have garnered numerous accolades, with Witcher 3 often hailed as one of the greatest RPGs ever developed.

During the attack on CD Projekt Red, HelloKitty pilfered about 450GB of uncompressed source code, which included files for an unreleased version of Witcher 3 purportedly featuring ray tracing, a cutting-edge rendering technique that simulates realistic lighting effects in computer graphics. 

This technique was eventually integrated into Witcher 3 via a 2022 update. In a bid to mark its resurgence, the operator of the ransomware released the pilfered data from the CD Projekt Red breach, along with data acquired from a 2022 attack on Cisco. Additionally, four private decryption keys were made public to facilitate the unlocking of files encrypted by HelloKitty.

As of now, there have been no new data leaks on the HelloGookie website, nor any indication of ongoing attacks. HelloKitty once held a significant position in the ransomware landscape, and it remains to be seen whether HelloGookie will achieve similar levels of success as its predecessor.

Threat Actor Release HelloKitty Ransomware Source Code on Hacking Forum

A threat actor recently posted the entire source code for the first version of the HelloKitty ransomware on Russian-language hacking forum, while claiming to be working on a new, more potent encryptor.

Security expert 3xp0rt initially noticed the leak when he saw threat actor kapuchin0 distributing the "first branch" of the HelloKitty ransomware encryptor.

While the source code was released by someone with the username kapuchino, the threat actor was also seen using the alias ‘Gookee.’

Gookee has previously been linked by security researchers with malware and hacking activity, where the threat actors were attempting to acquire access of Sony Network Japan in 2020. The attack was a Ransomware-as-a-Service (RaaS) operation, dubbed as ‘Gookee Ransomware,’ which was putting malware source code for sale on an underground forum.

According to 3cport, kapuchin0/Gookee is the developer of the HelloKitty ransomware, who claims to be developing, “a new product and much more interesting than Lockbit.”

The leaked hellokitty.zip archive include the HelloKitty encryptor and decryptor, as well as the NTRUEncrypt library that this variant of the ransomware utilizes to encrypt files, are built using a Microsoft Visual Studio solution.

Furthermore, ransomware expert Micheal Gillespie confirms that the leaks codes are in fact the real source code for HelloKitty, used initially when their ransomware operation launched in 2020.

What is HelloKitty Ransomware Operation?

HelloKitty is a human-operated ransomware operation that first came to light in November 2020 after its victims posted about it on the BleepingComputer forums. The FBI later released a PIN (private industry notification) on the group in January 2021. 

The ransomware group is known for conducting corporate network hacks, stealing data, and encrypting systems. In double-extortion machines, when threat actors promise to release data if a ransom is not paid, the encrypted files and stolen data are then used as leverage.

HelloKitty is known for a number of attacks and has been utilized by other ransomware operations. One of the most high-profile attack conducted by HelloKitty is the one on CD Product Red executed in February 2021. Threat actors claimed to have stolen the source code for Cyberpunk 2077, Witcher 3, Gwent, and other games during this attack, which they said were sold later.  

FBI: HelloKitty Ransomware Adds DDoS to Extortion Techniques

 

The FBI has released a flash notice to private industry partners, alerting them that the HelloKitty ransomware gang (also known as FiveHands) has incorporated distributed denial-of-service (DDoS) attacks into its toolbox of extortion techniques. 

The FBI claimed in a notice coordinated with the Cybersecurity and Infrastructure Security Agency (CISA) that the ransomware group would use DDoS assaults to take down its victims' official websites if they didn't pay the ransom. 

HelloKitty is also notorious for collecting and encrypting sensitive data from victims' infected servers. Later, the stolen files are then used as leverage to compel the victims to pay the ransom under the fear of the stolen material being leaked publicly on a data leak site. 

The FBI stated, "In some cases, if the victim does not respond quickly or does not pay the ransom, the threat actors will launch a Distributed Denial of Service (DDoS) attack on the victim company's public-facing website. Hello Kitty/FiveHands actors demand varying ransom payments in Bitcoin (BTC) that appear tailored to each victim, commensurate with their assessed ability to pay it. If no ransom is paid, the threat actors will post victim data to the Babuk site payload.bin) or sell it to a third-party data broker." 

To breach the targets' networks, the group's ransomware operators would utilize a variety of tactics, including compromised credentials and newly fixed security flaws in SonicWall products (e.g., CVE-2021-20016, CVE-2021-20021, CVE-2021-20022, CVE-2021-2002). 

About HelloKitty 

HelloKity is a ransomware operation created by people operating since November 2020 and was first discovered by the FBI in January 2021. The group is well known for breaking into and encrypting CD Projekt Red's networks and claiming to have stolen the source code for Cyberpunk 2077, Witcher 3, Gwent, and other games in February. 

The ransomware gang has also been seen utilizing a Linux version that targets VMware's ESXi virtual machine infrastructure since at least July 2021. They're just one of several ransomware gangs targeting Linux systems after enterprises switched to virtual machines for more effective resource use and easier device management. Ransomware operators may now encrypt numerous servers concurrently with a single order by targeting their virtual machines, saving time and effort. 

HelloKitty rapidly expanded its activity in July and August, shortly after commencing to use the Linux variant in assaults, as per submissions made by their victims on the ID Ransomware site. The HelloKitty ransomware, or versions of it, has also gone by the names DeathRansom and Fivehands. 

In its advisory, the FBI also included an extensive list of indications of compromise (IOCs) to assist cybersecurity experts and system administrators in preventing attacks organized by the HelloKitty ransomware.