SYMBOLCOMMON_NAMEaka. SYNONYMS
win.hellokitty (Back to overview)

HelloKitty

aka: KittyCrypt

Unit42 states that HelloKitty is a ransomware family that first surfaced at the end of 2020, primarily targeting Windows systems. The malware family got its name due to its use of a Mutex with the same name: HelloKittyMutex. The ransomware samples seem to evolve quickly and frequently, with different versions making use of the .crypted or .kitty file extensions for encrypted files. Some newer samples make use of a Golang packer that ensures the final ransomware code is only loaded in memory, most likely to evade detection by security solutions.

References
2023-02-14IntrinsecIntrinsec, CTI Intrinsec
@online{intrinsec:20230214:vicesociety:2dffe2e, author = {Intrinsec and CTI Intrinsec}, title = {{Vice-Society spreads its own ransomware}}, date = {2023-02-14}, organization = {Intrinsec}, url = {https://www.intrinsec.com/vice-society-spreads-its-own-ransomware/}, language = {English}, urldate = {2023-02-15} } Vice-Society spreads its own ransomware
HelloKitty PolyVice Zeppelin
2023-01-04cocomelonc
@online{cocomelonc:20230104:malware:7653c80, author = {cocomelonc}, title = {{Malware development tricks: part 26. Mutex. C++ example.}}, date = {2023-01-04}, url = {https://cocomelonc.github.io/malware/2023/01/04/malware-tricks-26.html}, language = {English}, urldate = {2023-01-10} } Malware development tricks: part 26. Mutex. C++ example.
AsyncRAT Conti HelloKitty
2022-09-20vmwareDana Behling
@online{behling:20220920:threat:099a73a, author = {Dana Behling}, title = {{Threat Report: Illuminating Volume Shadow Deletion}}, date = {2022-09-20}, organization = {vmware}, url = {https://blogs.vmware.com/security/2022/09/threat-report-illuminating-volume-shadow-deletion.html}, language = {English}, urldate = {2022-09-26} } Threat Report: Illuminating Volume Shadow Deletion
Conti HelloKitty
2022-09-06CISAUS-CERT, FBI, CISA, MS-ISAC
@online{uscert:20220906:alert:4058a6d, author = {US-CERT and FBI and CISA and MS-ISAC}, title = {{Alert (AA22-249A) #StopRansomware: Vice Society}}, date = {2022-09-06}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-249a}, language = {English}, urldate = {2022-09-16} } Alert (AA22-249A) #StopRansomware: Vice Society
Cobalt Strike Empire Downloader FiveHands HelloKitty SystemBC Zeppelin
2022-05-20AdvIntelYelisey Boguslavskiy, Vitali Kremez, Marley Smith
@online{boguslavskiy:20220520:discontinued:de13f97, author = {Yelisey Boguslavskiy and Vitali Kremez and Marley Smith}, title = {{DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape}}, date = {2022-05-20}, organization = {AdvIntel}, url = {https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape}, language = {English}, urldate = {2022-05-25} } DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape
AvosLocker Black Basta BlackByte BlackCat Conti HelloKitty Hive
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-05-01BushidoTokenBushidoToken
@online{bushidotoken:20220501:gamer:0acfc22, author = {BushidoToken}, title = {{Gamer Cheater Hacker Spy}}, date = {2022-05-01}, organization = {BushidoToken}, url = {https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html}, language = {English}, urldate = {2022-05-03} } Gamer Cheater Hacker Spy
Egregor HelloKitty NetfilterRootkit RagnarLocker Winnti
2022-04-25Medium proferosec-osmBrenton Morris
@online{morris:20220425:static:ae1f9c2, author = {Brenton Morris}, title = {{Static unpacker and decoder for Hello Kitty Packer}}, date = {2022-04-25}, organization = {Medium proferosec-osm}, url = {https://medium.com/proferosec-osm/static-unpacker-and-decoder-for-hello-kitty-packer-91a3e8844cb7}, language = {English}, urldate = {2022-04-29} } Static unpacker and decoder for Hello Kitty Packer
HelloKitty
2022-04-18AdvIntelVitali Kremez, Yelisey Boguslavskiy
@online{kremez:20220418:enter:2f9b689, author = {Vitali Kremez and Yelisey Boguslavskiy}, title = {{Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group}}, date = {2022-04-18}, organization = {AdvIntel}, url = {https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group}, language = {English}, urldate = {2022-05-17} } Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group
AvosLocker BazarBackdoor BlackByte BlackCat Cobalt Strike HelloKitty Hive
2022-03-21eSentireeSentire Threat Response Unit (TRU)
@online{tru:20220321:conti:507fdf9, author = {eSentire Threat Response Unit (TRU)}, title = {{Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered}}, date = {2022-03-21}, organization = {eSentire}, url = {https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire}, language = {English}, urldate = {2022-05-23} } Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered
HelloKitty BazarBackdoor Cobalt Strike Conti FiveHands HelloKitty IcedID
2021-11-02SpearTipChris Swagler
@online{swagler:20211102:fbi:6fe349f, author = {Chris Swagler}, title = {{FBI Warning: HelloKitty Ransomware Add DDoS to Extortion Arsenal}}, date = {2021-11-02}, organization = {SpearTip}, url = {https://www.speartip.com/resources/fbi-hellokitty-ransomware-adds-ddos-to-extortion-arsenal/}, language = {English}, urldate = {2021-11-03} } FBI Warning: HelloKitty Ransomware Add DDoS to Extortion Arsenal
HelloKitty
2021-10-28FBIFBI
@techreport{fbi:20211028:cu000154mw:086d032, author = {FBI}, title = {{CU-000154-MW: Tactics, Techniques, and Indicators of Compromise Associated with Hello Kitty/FiveHands Ransomware}}, date = {2021-10-28}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2021/211029.pdf}, language = {English}, urldate = {2021-11-03} } CU-000154-MW: Tactics, Techniques, and Indicators of Compromise Associated with Hello Kitty/FiveHands Ransomware
HelloKitty
2021-08-24Palo Alto Networks Unit 42Ruchna Nigam, Doel Santos
@online{nigam:20210824:ransomware:dfd3e4b, author = {Ruchna Nigam and Doel Santos}, title = {{Ransomware Groups to Watch: Emerging Threats}}, date = {2021-08-24}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/emerging-ransomware-groups/}, language = {English}, urldate = {2021-08-24} } Ransomware Groups to Watch: Emerging Threats
HelloKitty AvosLocker HelloKitty Hive LockBit
2021-07-17Bleeping ComputerSergiu Gatlan
@online{gatlan:20210717:hellokitty:96a6fe5, author = {Sergiu Gatlan}, title = {{HelloKitty ransomware is targeting vulnerable SonicWall devices}}, date = {2021-07-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hellokitty-ransomware-is-targeting-vulnerable-sonicwall-devices/}, language = {English}, urldate = {2021-07-20} } HelloKitty ransomware is targeting vulnerable SonicWall devices
HelloKitty
2021-06-28CrowdStrikeAlexandru Ghita
@online{ghita:20210628:new:85c558c, author = {Alexandru Ghita}, title = {{New Ransomware Variant Uses Golang Packer}}, date = {2021-06-28}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/new-ransomware-variant-uses-golang-packer/}, language = {English}, urldate = {2021-06-29} } New Ransomware Variant Uses Golang Packer
FiveHands HelloKitty
2021-05-31DataBreaches.netDissent
@online{dissent:20210531:babuk:4915c4b, author = {Dissent}, title = {{Babuk re-organizes as Payload Bin, offers its first leak}}, date = {2021-05-31}, organization = {DataBreaches.net}, url = {https://www.databreaches.net/babuk-re-organizes-as-payload-bin-offers-its-first-leak/}, language = {English}, urldate = {2021-06-04} } Babuk re-organizes as Payload Bin, offers its first leak
Babuk HelloKitty
2021-04-29FireEyeTyler McLellan, Justin Moore, Raymond Leong
@online{mclellan:20210429:unc2447:2ad0d96, author = {Tyler McLellan and Justin Moore and Raymond Leong}, title = {{UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat}}, date = {2021-04-29}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html}, language = {English}, urldate = {2022-03-07} } UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat
Cobalt Strike FiveHands HelloKitty
2021-03-18MalwarebytesJovi Umawing
@online{umawing:20210318:hellokitty:1527547, author = {Jovi Umawing}, title = {{HelloKitty: When Cyberpunk met cy-purr-crime}}, date = {2021-03-18}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-spotlight/2021/03/hellokitty-when-cyberpunk-met-cy-purr-crime/}, language = {English}, urldate = {2021-03-19} } HelloKitty: When Cyberpunk met cy-purr-crime
HelloKitty
2021-03-08Sentinel LABSJim Walter
@online{walter:20210308:hellokitty:e063f92, author = {Jim Walter}, title = {{HelloKitty Ransomware Lacks Stealth, But Still Strikes Home}}, date = {2021-03-08}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/hellokitty-ransomware-lacks-stealth-but-still-strikes-home/}, language = {English}, urldate = {2021-03-11} } HelloKitty Ransomware Lacks Stealth, But Still Strikes Home
HelloKitty
2021-02-10Cado SecurityChristopher Doman
@online{doman:20210210:punk:dd2c142, author = {Christopher Doman}, title = {{Punk Kitty Ransom - Analysing HelloKitty Ransomware Attacks}}, date = {2021-02-10}, organization = {Cado Security}, url = {https://www.cadosecurity.com/post/punk-kitty-ransom-analysing-hellokitty-ransomware-attacks}, language = {English}, urldate = {2021-02-17} } Punk Kitty Ransom - Analysing HelloKitty Ransomware Attacks
HelloKitty
2021-02-09Twitter (@fwosar)Fabian Wosar
@online{wosar:20210209:cd:5b066a6, author = {Fabian Wosar}, title = {{Tweet on CD PROJEKT RED targeted by HelloKitty ransomware group}}, date = {2021-02-09}, organization = {Twitter (@fwosar)}, url = {https://twitter.com/fwosar/status/1359167108727332868}, language = {English}, urldate = {2021-02-17} } Tweet on CD PROJEKT RED targeted by HelloKitty ransomware group
HelloKitty
2020-11-13ID RansomwareAndrew Ivanov
@online{ivanov:20201113:hellokitty:d65136d, author = {Andrew Ivanov}, title = {{HelloKitty Ransomware}}, date = {2020-11-13}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/11/hellokitty-ransomware.html}, language = {English}, urldate = {2021-02-10} } HelloKitty Ransomware
HelloKitty
Yara Rules
[TLP:WHITE] win_hellokitty_auto (20230125 | Detects win.hellokitty.)
rule win_hellokitty_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.hellokitty."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hellokitty"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0bc1 8b4dd4 03c6 8b75b0 03c2 8bd1 8945dc }
            // n = 7, score = 100
            //   0bc1                 | or                  eax, ecx
            //   8b4dd4               | mov                 ecx, dword ptr [ebp - 0x2c]
            //   03c6                 | add                 eax, esi
            //   8b75b0               | mov                 esi, dword ptr [ebp - 0x50]
            //   03c2                 | add                 eax, edx
            //   8bd1                 | mov                 edx, ecx
            //   8945dc               | mov                 dword ptr [ebp - 0x24], eax

        $sequence_1 = { 894df8 894518 6a05 5a 47 81c6ffff0000 663bc2 }
            // n = 7, score = 100
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   894518               | mov                 dword ptr [ebp + 0x18], eax
            //   6a05                 | push                5
            //   5a                   | pop                 edx
            //   47                   | inc                 edi
            //   81c6ffff0000         | add                 esi, 0xffff
            //   663bc2               | cmp                 ax, dx

        $sequence_2 = { 8bc3 c1c007 33c8 895584 8bc3 8b5df0 8bf3 }
            // n = 7, score = 100
            //   8bc3                 | mov                 eax, ebx
            //   c1c007               | rol                 eax, 7
            //   33c8                 | xor                 ecx, eax
            //   895584               | mov                 dword ptr [ebp - 0x7c], edx
            //   8bc3                 | mov                 eax, ebx
            //   8b5df0               | mov                 ebx, dword ptr [ebp - 0x10]
            //   8bf3                 | mov                 esi, ebx

        $sequence_3 = { 8bc3 234de0 23fb c1c802 0bf9 }
            // n = 5, score = 100
            //   8bc3                 | mov                 eax, ebx
            //   234de0               | and                 ecx, dword ptr [ebp - 0x20]
            //   23fb                 | and                 edi, ebx
            //   c1c802               | ror                 eax, 2
            //   0bf9                 | or                  edi, ecx

        $sequence_4 = { c707???????? e8???????? 8bf0 85f6 7451 53 8b5e08 }
            // n = 7, score = 100
            //   c707????????         |                     
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi
            //   7451                 | je                  0x53
            //   53                   | push                ebx
            //   8b5e08               | mov                 ebx, dword ptr [esi + 8]

        $sequence_5 = { c1ca0d 33d0 8bc1 c1c802 33d0 8b45ec 8bc8 }
            // n = 7, score = 100
            //   c1ca0d               | ror                 edx, 0xd
            //   33d0                 | xor                 edx, eax
            //   8bc1                 | mov                 eax, ecx
            //   c1c802               | ror                 eax, 2
            //   33d0                 | xor                 edx, eax
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   8bc8                 | mov                 ecx, eax

        $sequence_6 = { 03d1 c1cf02 8b4db4 03d3 334db8 8bc7 334dec }
            // n = 7, score = 100
            //   03d1                 | add                 edx, ecx
            //   c1cf02               | ror                 edi, 2
            //   8b4db4               | mov                 ecx, dword ptr [ebp - 0x4c]
            //   03d3                 | add                 edx, ebx
            //   334db8               | xor                 ecx, dword ptr [ebp - 0x48]
            //   8bc7                 | mov                 eax, edi
            //   334dec               | xor                 ecx, dword ptr [ebp - 0x14]

        $sequence_7 = { 8b4df4 0bd0 8b45c0 03c6 13ca 03c7 8945c0 }
            // n = 7, score = 100
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   0bd0                 | or                  edx, eax
            //   8b45c0               | mov                 eax, dword ptr [ebp - 0x40]
            //   03c6                 | add                 eax, esi
            //   13ca                 | adc                 ecx, edx
            //   03c7                 | add                 eax, edi
            //   8945c0               | mov                 dword ptr [ebp - 0x40], eax

        $sequence_8 = { c7461802000000 894608 897e0c e8???????? 84c0 0f8558ffffff 8b4c2410 }
            // n = 7, score = 100
            //   c7461802000000       | mov                 dword ptr [esi + 0x18], 2
            //   894608               | mov                 dword ptr [esi + 8], eax
            //   897e0c               | mov                 dword ptr [esi + 0xc], edi
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   0f8558ffffff         | jne                 0xffffff5e
            //   8b4c2410             | mov                 ecx, dword ptr [esp + 0x10]

        $sequence_9 = { e8???????? 8d4c2470 e8???????? 8d8c2488000000 e8???????? 8d4d08 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   8d4c2470             | lea                 ecx, [esp + 0x70]
            //   e8????????           |                     
            //   8d8c2488000000       | lea                 ecx, [esp + 0x88]
            //   e8????????           |                     
            //   8d4d08               | lea                 ecx, [ebp + 8]

    condition:
        7 of them and filesize < 319488
}
Download all Yara Rules