Security researchers and cybersecurity experts have recently uncovered new variants of the notorious HelloKitty ransomware, signaling its resurgence with attacks targeting Windows, Linux, and ESXi environments. The ransomware, originally emerging in October 2020 as a fork of DeathRansom, has evolved significantly in its encryption methods.
The latest discovery reveals that the ransomware now employs an RSA-2048 public key, hashed through SHA256 to serve as a unique victim ID. Each file encrypted by the ransomware utilizes a 32-byte seed value derived from the CPU timestamp, utilizing Salsa20 for initial encryption and AES for file encryption. After encryption, files receive extensions like CRYPTED, CRYPT, or KITTY, along with appended metadata for decryption, including an RSA-encrypted file size, a magic value, and the AES key. Some variants of HelloKitty even implement an NTRU public key, showcasing the ransomware’s adaptability in encryption techniques.
In terms of network expansion, HelloKitty has not only targeted more platforms but has also expanded its geographical reach. Initial samples from 2020 primarily focused on Windows operating systems. However, by July 2021, the group developed an encryptor for Linux ESXi environments, demonstrating their intention to broaden their attack vectors.
The latest samples of HelloKitty have surfaced in various countries, with a notable presence from China, leading to debates about the group’s origins. While U.S. cybersecurity agencies attribute its operations to Ukraine, several clues point towards a stronger Chinese influence. These clues include the use of the Chinese language in internal files, connections to Chinese IP addresses, and the initial uploads of new samples from China. This blend of evidence suggests either a deliberate obfuscation of origins or a multinational operation.
Analyzing the evolution of HelloKitty ransomware’s tactics, techniques, and procedures (TTPs), a marked shift is observed from 2020 to 2024. The earlier samples primarily focused on basic operations, while the latest samples show a significant shift towards more aggressive system reconnaissance. There has been a refinement in approach, possibly to evade modern endpoint security solutions.
HelloKitty’s victimology has targeted a diverse set of victims, including prominent entities like CD PROJEKT, CEMIG Powerplant, and various healthcare services. Furthermore, the ransomware has been deployed by different threat actors, indicating its popularity and adaptability in the ransomware-as-a-service (RaaS) ecosystem.
Despite no active dark web presence currently, a new sample uploaded from China suggests that the group is recalibrating its operations. With approximately a 5% match with RingQ Malware, the creators might be gearing up for a more aggressive campaign.
The resurgence of HelloKitty ransomware, equipped with sophisticated encryption, diverse targeting, and an ambiguous geographical footprint, poses a significant challenge for cybersecurity professionals. As the ransomware landscape continues to evolve, so must the strategies employed to detect, respond to, and mitigate these advanced threats. The group’s evolution from its 2020 variant to the refined 2024 version underscores the need for continuous innovation in cybersecurity defenses.