SYMBOLCOMMON_NAMEaka. SYNONYMS
win.hellokitty (Back to overview)

HelloKitty

aka: KittyCrypt

Unit42 states that HelloKitty is a ransomware family that first surfaced at the end of 2020, primarily targeting Windows systems. The malware family got its name due to its use of a Mutex with the same name: HelloKittyMutex. The ransomware samples seem to evolve quickly and frequently, with different versions making use of the .crypted or .kitty file extensions for encrypted files. Some newer samples make use of a Golang packer that ensures the final ransomware code is only loaded in memory, most likely to evade detection by security solutions.

References
2022-09-20vmwareDana Behling
@online{behling:20220920:threat:099a73a, author = {Dana Behling}, title = {{Threat Report: Illuminating Volume Shadow Deletion}}, date = {2022-09-20}, organization = {vmware}, url = {https://blogs.vmware.com/security/2022/09/threat-report-illuminating-volume-shadow-deletion.html}, language = {English}, urldate = {2022-09-26} } Threat Report: Illuminating Volume Shadow Deletion
Conti HelloKitty
2022-09-06CISAUS-CERT, FBI, CISA, MS-ISAC
@online{uscert:20220906:alert:4058a6d, author = {US-CERT and FBI and CISA and MS-ISAC}, title = {{Alert (AA22-249A) #StopRansomware: Vice Society}}, date = {2022-09-06}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-249a}, language = {English}, urldate = {2022-09-16} } Alert (AA22-249A) #StopRansomware: Vice Society
Cobalt Strike Empire Downloader FiveHands HelloKitty SystemBC Zeppelin
2022-05-20AdvIntelYelisey Boguslavskiy, Vitali Kremez, Marley Smith
@online{boguslavskiy:20220520:discontinued:de13f97, author = {Yelisey Boguslavskiy and Vitali Kremez and Marley Smith}, title = {{DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape}}, date = {2022-05-20}, organization = {AdvIntel}, url = {https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape}, language = {English}, urldate = {2022-05-25} } DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape
AvosLocker Black Basta BlackByte BlackCat Conti HelloKitty Hive
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-05-01BushidoTokenBushidoToken
@online{bushidotoken:20220501:gamer:0acfc22, author = {BushidoToken}, title = {{Gamer Cheater Hacker Spy}}, date = {2022-05-01}, organization = {BushidoToken}, url = {https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html}, language = {English}, urldate = {2022-05-03} } Gamer Cheater Hacker Spy
Egregor HelloKitty NetfilterRootkit RagnarLocker Winnti
2022-04-25Medium proferosec-osmBrenton Morris
@online{morris:20220425:static:ae1f9c2, author = {Brenton Morris}, title = {{Static unpacker and decoder for Hello Kitty Packer}}, date = {2022-04-25}, organization = {Medium proferosec-osm}, url = {https://medium.com/proferosec-osm/static-unpacker-and-decoder-for-hello-kitty-packer-91a3e8844cb7}, language = {English}, urldate = {2022-04-29} } Static unpacker and decoder for Hello Kitty Packer
HelloKitty
2022-04-18AdvIntelVitali Kremez, Yelisey Boguslavskiy
@online{kremez:20220418:enter:2f9b689, author = {Vitali Kremez and Yelisey Boguslavskiy}, title = {{Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group}}, date = {2022-04-18}, organization = {AdvIntel}, url = {https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group}, language = {English}, urldate = {2022-05-17} } Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group
AvosLocker BazarBackdoor BlackByte BlackCat Cobalt Strike HelloKitty Hive
2022-03-21eSentireeSentire Threat Response Unit (TRU)
@online{tru:20220321:conti:507fdf9, author = {eSentire Threat Response Unit (TRU)}, title = {{Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered}}, date = {2022-03-21}, organization = {eSentire}, url = {https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire}, language = {English}, urldate = {2022-05-23} } Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered
HelloKitty BazarBackdoor Cobalt Strike Conti FiveHands HelloKitty IcedID
2021-11-02SpearTipChris Swagler
@online{swagler:20211102:fbi:6fe349f, author = {Chris Swagler}, title = {{FBI Warning: HelloKitty Ransomware Add DDoS to Extortion Arsenal}}, date = {2021-11-02}, organization = {SpearTip}, url = {https://www.speartip.com/resources/fbi-hellokitty-ransomware-adds-ddos-to-extortion-arsenal/}, language = {English}, urldate = {2021-11-03} } FBI Warning: HelloKitty Ransomware Add DDoS to Extortion Arsenal
HelloKitty
2021-10-28FBIFBI
@techreport{fbi:20211028:cu000154mw:086d032, author = {FBI}, title = {{CU-000154-MW: Tactics, Techniques, and Indicators of Compromise Associated with Hello Kitty/FiveHands Ransomware}}, date = {2021-10-28}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2021/211029.pdf}, language = {English}, urldate = {2021-11-03} } CU-000154-MW: Tactics, Techniques, and Indicators of Compromise Associated with Hello Kitty/FiveHands Ransomware
HelloKitty
2021-08-24Palo Alto Networks Unit 42Ruchna Nigam, Doel Santos
@online{nigam:20210824:ransomware:dfd3e4b, author = {Ruchna Nigam and Doel Santos}, title = {{Ransomware Groups to Watch: Emerging Threats}}, date = {2021-08-24}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/emerging-ransomware-groups/}, language = {English}, urldate = {2021-08-24} } Ransomware Groups to Watch: Emerging Threats
HelloKitty AvosLocker HelloKitty Hive LockBit
2021-07-17Bleeping ComputerSergiu Gatlan
@online{gatlan:20210717:hellokitty:96a6fe5, author = {Sergiu Gatlan}, title = {{HelloKitty ransomware is targeting vulnerable SonicWall devices}}, date = {2021-07-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hellokitty-ransomware-is-targeting-vulnerable-sonicwall-devices/}, language = {English}, urldate = {2021-07-20} } HelloKitty ransomware is targeting vulnerable SonicWall devices
HelloKitty
2021-06-28CrowdStrikeAlexandru Ghita
@online{ghita:20210628:new:85c558c, author = {Alexandru Ghita}, title = {{New Ransomware Variant Uses Golang Packer}}, date = {2021-06-28}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/new-ransomware-variant-uses-golang-packer/}, language = {English}, urldate = {2021-06-29} } New Ransomware Variant Uses Golang Packer
FiveHands HelloKitty
2021-05-31DataBreaches.netDissent
@online{dissent:20210531:babuk:4915c4b, author = {Dissent}, title = {{Babuk re-organizes as Payload Bin, offers its first leak}}, date = {2021-05-31}, organization = {DataBreaches.net}, url = {https://www.databreaches.net/babuk-re-organizes-as-payload-bin-offers-its-first-leak/}, language = {English}, urldate = {2021-06-04} } Babuk re-organizes as Payload Bin, offers its first leak
Babuk HelloKitty
2021-04-29FireEyeTyler McLellan, Justin Moore, Raymond Leong
@online{mclellan:20210429:unc2447:2ad0d96, author = {Tyler McLellan and Justin Moore and Raymond Leong}, title = {{UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat}}, date = {2021-04-29}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html}, language = {English}, urldate = {2022-03-07} } UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat
Cobalt Strike FiveHands HelloKitty
2021-03-18MalwarebytesJovi Umawing
@online{umawing:20210318:hellokitty:1527547, author = {Jovi Umawing}, title = {{HelloKitty: When Cyberpunk met cy-purr-crime}}, date = {2021-03-18}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-spotlight/2021/03/hellokitty-when-cyberpunk-met-cy-purr-crime/}, language = {English}, urldate = {2021-03-19} } HelloKitty: When Cyberpunk met cy-purr-crime
HelloKitty
2021-03-08Sentinel LABSJim Walter
@online{walter:20210308:hellokitty:e063f92, author = {Jim Walter}, title = {{HelloKitty Ransomware Lacks Stealth, But Still Strikes Home}}, date = {2021-03-08}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/hellokitty-ransomware-lacks-stealth-but-still-strikes-home/}, language = {English}, urldate = {2021-03-11} } HelloKitty Ransomware Lacks Stealth, But Still Strikes Home
HelloKitty
2021-02-10Cado SecurityChristopher Doman
@online{doman:20210210:punk:dd2c142, author = {Christopher Doman}, title = {{Punk Kitty Ransom - Analysing HelloKitty Ransomware Attacks}}, date = {2021-02-10}, organization = {Cado Security}, url = {https://www.cadosecurity.com/post/punk-kitty-ransom-analysing-hellokitty-ransomware-attacks}, language = {English}, urldate = {2021-02-17} } Punk Kitty Ransom - Analysing HelloKitty Ransomware Attacks
HelloKitty
2021-02-09Twitter (@fwosar)Fabian Wosar
@online{wosar:20210209:cd:5b066a6, author = {Fabian Wosar}, title = {{Tweet on CD PROJEKT RED targeted by HelloKitty ransomware group}}, date = {2021-02-09}, organization = {Twitter (@fwosar)}, url = {https://twitter.com/fwosar/status/1359167108727332868}, language = {English}, urldate = {2021-02-17} } Tweet on CD PROJEKT RED targeted by HelloKitty ransomware group
HelloKitty
2020-11-13ID RansomwareAndrew Ivanov
@online{ivanov:20201113:hellokitty:d65136d, author = {Andrew Ivanov}, title = {{HelloKitty Ransomware}}, date = {2020-11-13}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/11/hellokitty-ransomware.html}, language = {English}, urldate = {2021-02-10} } HelloKitty Ransomware
HelloKitty
Yara Rules
[TLP:WHITE] win_hellokitty_auto (20221125 | Detects win.hellokitty.)
rule win_hellokitty_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.hellokitty."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hellokitty"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { b820010000 eb24 837d0800 7404 85f6 7406 837d0c00 }
            // n = 7, score = 100
            //   b820010000           | mov                 eax, 0x120
            //   eb24                 | jmp                 0x26
            //   837d0800             | cmp                 dword ptr [ebp + 8], 0
            //   7404                 | je                  6
            //   85f6                 | test                esi, esi
            //   7406                 | je                  8
            //   837d0c00             | cmp                 dword ptr [ebp + 0xc], 0

        $sequence_1 = { 03f0 8bd1 8bc1 c1ca0d c1c00a 03f7 }
            // n = 6, score = 100
            //   03f0                 | add                 esi, eax
            //   8bd1                 | mov                 edx, ecx
            //   8bc1                 | mov                 eax, ecx
            //   c1ca0d               | ror                 edx, 0xd
            //   c1c00a               | rol                 eax, 0xa
            //   03f7                 | add                 esi, edi

        $sequence_2 = { 8bec 817d1000800200 8b4514 56 57 8bf9 }
            // n = 6, score = 100
            //   8bec                 | mov                 ebp, esp
            //   817d1000800200       | cmp                 dword ptr [ebp + 0x10], 0x28000
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]
            //   56                   | push                esi
            //   57                   | push                edi
            //   8bf9                 | mov                 edi, ecx

        $sequence_3 = { 0f1145ec e8???????? 8b4508 83c40c 89873c010000 8b4718 c78738010000a08a4000 }
            // n = 7, score = 100
            //   0f1145ec             | movups              xmmword ptr [ebp - 0x14], xmm0
            //   e8????????           |                     
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   83c40c               | add                 esp, 0xc
            //   89873c010000         | mov                 dword ptr [edi + 0x13c], eax
            //   8b4718               | mov                 eax, dword ptr [edi + 0x18]
            //   c78738010000a08a4000     | mov    dword ptr [edi + 0x138], 0x408aa0

        $sequence_4 = { d1c0 8945b4 8bc3 33c2 894df4 33c6 c1c105 }
            // n = 7, score = 100
            //   d1c0                 | rol                 eax, 1
            //   8945b4               | mov                 dword ptr [ebp - 0x4c], eax
            //   8bc3                 | mov                 eax, ebx
            //   33c2                 | xor                 eax, edx
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx
            //   33c6                 | xor                 eax, esi
            //   c1c105               | rol                 ecx, 5

        $sequence_5 = { 8945d8 8945dc 8945e0 394508 0f84f4030000 8b5d14 85db }
            // n = 7, score = 100
            //   8945d8               | mov                 dword ptr [ebp - 0x28], eax
            //   8945dc               | mov                 dword ptr [ebp - 0x24], eax
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax
            //   394508               | cmp                 dword ptr [ebp + 8], eax
            //   0f84f4030000         | je                  0x3fa
            //   8b5d14               | mov                 ebx, dword ptr [ebp + 0x14]
            //   85db                 | test                ebx, ebx

        $sequence_6 = { 8b75f0 8bc7 c1c007 81c3dca9b05c c1c90b 33c8 8955a0 }
            // n = 7, score = 100
            //   8b75f0               | mov                 esi, dword ptr [ebp - 0x10]
            //   8bc7                 | mov                 eax, edi
            //   c1c007               | rol                 eax, 7
            //   81c3dca9b05c         | add                 ebx, 0x5cb0a9dc
            //   c1c90b               | ror                 ecx, 0xb
            //   33c8                 | xor                 ecx, eax
            //   8955a0               | mov                 dword ptr [ebp - 0x60], edx

        $sequence_7 = { ff75fc 51 8bce e8???????? 5f }
            // n = 5, score = 100
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   51                   | push                ecx
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   5f                   | pop                 edi

        $sequence_8 = { e8???????? 59 56 68???????? 51 51 e8???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   56                   | push                esi
            //   68????????           |                     
            //   51                   | push                ecx
            //   51                   | push                ecx
            //   e8????????           |                     

        $sequence_9 = { 88463d 8a464b 88463c 8a464c 88463b 8a464d 88463a }
            // n = 7, score = 100
            //   88463d               | mov                 byte ptr [esi + 0x3d], al
            //   8a464b               | mov                 al, byte ptr [esi + 0x4b]
            //   88463c               | mov                 byte ptr [esi + 0x3c], al
            //   8a464c               | mov                 al, byte ptr [esi + 0x4c]
            //   88463b               | mov                 byte ptr [esi + 0x3b], al
            //   8a464d               | mov                 al, byte ptr [esi + 0x4d]
            //   88463a               | mov                 byte ptr [esi + 0x3a], al

    condition:
        7 of them and filesize < 319488
}
Download all Yara Rules