Image: Mika Baumeister (unsplash)
The complete source code for the inaugural version of the HelloKitty ransomware has been disclosed on a Russian-language hacker forum. The individual responsible for this disclosure suggests that they are in the process of crafting a more potent encryption tool.
Upon the discovery of this leak, it was identified that an actor by the pseudonym ‘kapuchin0’ had released what they referred to as the “first branch” of the HelloKitty ransomware encryption tool. However, the researcher 3xp0rt, who brought attention to this leak, informed BleepingComputer that the said actor also operates under another moniker: ‘Gookee.’
This same individual, Gookee, is known for previous engagements with malware and illicit digital activities. Notably, he attempted to commercialize access to Sony Network Japan in 2020. Additionally, he is believed to have ties to a Ransomware-as-a-Service operation titled ‘Gookee Ransomware.’ On another occasion, he sought to market malware source code on a digital forum for hackers.
3xp0rt is of the opinion that kapuchin0, or Gookee, is the mastermind behind the HelloKitty ransomware. It has been noted that they mentioned, “A new and more captivating product than Lockbit is in the works.”
The disclosed file, named hellokitty.zip, encompasses a Microsoft Visual Studio solution that can construct both the HelloKitty encryptor and decryptor. Moreover, this rendition of the ransomware employs the NTRUEncrypt library for file encryption.
Michael Gillespie, a recognized expert in ransomware, verified to BleepingComputer that the revealed code is indeed the authentic source code for HelloKitty, which was in circulation when the ransomware operation made its debut in 2020.
While making such a source code accessible can bolster security research endeavors, it doesn’t come without its pitfalls. History serves as a testament to this, as seen when the source codes of HiddenTear and Babuk ransomware became public. Malevolent actors rapidly repurposed the code to set in motion their own schemes of extortion. Numerous ransomware campaigns still exploit the Babuk source code as the foundation for their encryption tools.
Shedding light on HelloKitty’s origins, it’s a manual ransomware campaign that came into existence in November 2020. This was brought to the public’s attention when a victim discussed their plight on the BleepingComputer forums. Consequently, in January 2021, the FBI disseminated a PIN about this group. Predominantly, they infiltrate corporate networks, purloin data, and encrypt systems. The encrypted information, coupled with the pilfered data, becomes a bargaining chip in their extortion endeavors, where they menace to expose the data unless a ransom materializes.
HelloKitty gained notoriety for an array of attacks, including a significant breach targeting CD Projekt Red in February 2021. Following this breach, the assailants purportedly obtained and later commercialized the source code of games such as Cyberpunk 2077, Witcher 3, and Gwent. By summer 2021, the group had incorporated a Linux variant aiming at the VMware ESXi virtual machine platform.
Various iterations of the HelloKitty ransomware have been observed, some of which have other titles, like DeathRansom, Fivehands, and possibly Abyss Locker.
To assist professionals in the cybersecurity realm and system administrators, the FBI disseminated an exhaustive list of indicators of compromise (IOCs) in a 2021 advisory, cautioning about potential assault attempts by the HelloKitty group. Nevertheless, with the ongoing evolution of the encryptor, the relevance of these IOCs has possibly waned.