Malware Overview - HelloKitty

Introduction: 


If there existed an award for the cutest and most benign sounding family of malware, I am not hesitant to say that the developers of the HelloKitty ransomware would be walking home with the highest honor. That being said, the use of charming and otherwise innocuous sounding names for some of the worst and most malicious malware isn’t a new development. From the comforting-sounding ILOVEYOU worm that originated from the Philippines in 2000 and went on to infect the rest of the planet, to Nation State developed spyware like “Babar” (referencing the adorable Elephant from the French children’s literature classic), the utilization of harmless and defusing monikers for malware is just another way for threat actors to further explore their creativity and sense of humor. Hell, it's not even uncommon for individuals to give themselves names of  HelloKitty is not the first and will surely not be the last strain of malware to be given such a name, either afterwards by the general public or directly by its developers. 


Initial Appearance: 


According to most sources, this specific strain of ransomware reared its adorable head in late 2020, specifically November 2020. The initial detection occurred in Ukraine and targeted victims both within and outside of Ukraine. It is made clear that the name “HelloKitty” was bestowed upon this strain of ransomware based off of a mutex within the ransomware code specifically called “HelloKitty”. Although the authors did not give their ransomware a name, it seems as though it was only a foregone conclusion that security researchers and security publications would seize the opportunity to give the ransomware its unconventional but now infamous name. 


For those unaware, a mutex (a portmanteau of mutual exclusion) is a program object that prevents multiple threads from accessing the same shared resource simultaneously. Here is a good Medium post which helps define mutexes within the context of CTI. HelloKitty is a perfect example of this phenomenon, where a specific mutex within the malware was used to not only define it but also fingerprint it.


According to a post from the ID-Ransomware blog, the initial detection for this strain of ransomware seemed to demonstrate the authors timidity or amateurism, as they refrained from directly contacting the victim via email and only offered a single .onion link. Although this may not seem like a big deal, it has been made clear over the years that the more sophisticated a cybercrime group or threat actor, the more mediums of communication they give to their victims to facilitate payment. I mean, at the end of the day, if you’re a cybercriminal who managed to breach an organization and hold its data for ransom, wouldn’t you want to make it as easy as possible for the victim to give you what they ultimately want? 


https://www.virustotal.com/gui/file/9a7daafc56300bd94ceef23eac56a0735b63ec6b9a7a409fb5a9b63efe1aa0b0/community

https://app.any.run/tasks/41585437-15ea-4bdd-9864-880a2b178ffd/


An any.run and VirusTotal analysis of the initial ransomware sample is provided by the blog post which helps give the reader a sneak peak into the inner-workings of this strain. 


Delving deeper into the technical inner-workings of this malware, it is clear that it does not stray too far from the typical behavior of most ransomware. It uses taskkill.exe to kill a range of system processes in order to prevent any interference with the encryption process. It also utilizes WMI to gather information on the initial compromised systems in order to assist with the encryption process.


The ransomware will also attempt to delete all volume shadow copies on the victim hosts and target word documents, OpenOffice documents, PDF files, text files, database files, photos, audio files, videos, other image or media files, archive files, etc. An AlienVault IOC indicator provides a solid list of all of the processes that HelloKitty attempts to kill along with additional IOCs and TTPs.


All in all, this is pretty par for the course when it comes to a ransomware strain. While it is far from the most sophisticated strain of ransomware that has appeared in the wild, it is still dangerous and it is important for organizations to be aware of the different techniques threat actors utilize to carry out their objective of compromising your environment. It should also be known that HelloKitty uses the now nearly ubiquitous tactic of double extortion. This means that not only do they hold their victim’s data hostage and demand payment for restoration, but they also threaten the disclosure of the potentially sensitive data on the dark web. Sometimes this double extortion can come in the form of an additional ransom payment or just an added incentive for the victim to pay and pay quickly. 


CEMIG:


In December of 2020, only a month removed from its initial detection back in November, it was reported that a Brazilian electrical distribution company, CEMIG or Companhia Energética de Minas Gerais, suffered a ransomware attack that affected the company’s online service portal. According to the initial statement from CEMIG that was posted on Facebook, “less than 10%” of their Windows and Hyper-V servers were encrypted by the ransomware. They advise that some workstations were compromised but were quickly contained by their SOC. At the end of their statement they advise that no communication was made with the attackers and “no leak” of customer data occurred. 


HelloKitty ransomware note.


In a more lighthearted turn of events, it was reported that possibly someone associated with CEMIG did in fact reach out to the HelloKitty ransomware group via their .onion link to chat with them, although not to negotiate. 



What we have here are screenshots of this person reaching out to the HelloKitty group with a fairly succinct reply of “no thanks motherfucker” to their demands. HelloKitty did their absolute best to try and threaten CEMIG again with leaking their data on the dark web but it appears there was no further communication between the two individuals and it was reported that CEMIG managed to restore their environment and compromised systems within 4 days of the attack. 


It is good to note though that although it would be way funnier if the person who contacted the HelloKitty group was from CEMIG there is no way to verify this as the .onion link was made public and the reality is that it could literally be anyone communicating with them.


Following the attack on CEMIG, it was also reported that in December of 2020 a French IT firm and a UK Healthcare service were victims of HelloKitty intrusions. The only information I can find on either of these however are the ransom notes with the names of each victim omitted. 


CD Projekt RED: 



CD Projekt RED is a video game developer famous for adapting the Witcher book series into an immensely popular and critically successful video game series. They also happen to be famous, or rather infamous, for inarguably one of the most disastrous launches for an anticipated title in history with Cyberpunk2077. This isn’t especially relevant, but I thought it was important enough to mention as many are still upset about it. 


On Feb 9th, 2021 they released a statement on Twitter declaring to the public that they had recently been the victim of a “targeted cyber attack” in which some internal systems were compromised. They advised that a ransom note was left along with “some devices” in their network being encrypted. 



The ransom note, likely intentionally, reads like a 17 year old trying to sound intimidating or threatening in order to try to force an easy ransom payment. I continue to theorize that many many sophisticated cybercrime groups intentionally communicate with victims in these skiddish,  pre-pubescent ways almost as if they are trying to downplay their sophistication in the eyes of the authorities.


CD Projekt RED advised that although confidential data was stolen and devices were encrypted, that their backups were left untouched and the relevant authorities were contacted. It seemed that at first, many who aren't familiar with the world of cybercrime and ransomware assumed that this was the work of an elaborate troll-job by disgruntled Cyberpunk customers. The general public however was quickly assured that this wasn’t a one-off hack by skids but a legitimate ransomware attack which resulted in significant data compromise.


As stated in the ransom note, the attackers claimed to have stolen source code for Cyberpunk2077 and an “unreleased version” of the Witcher 3. 


In an unsurprising turn of events, it was reported that the most likely vector of compromise for most of HelloKitty’s victims including CD Projekt was phishing. Initial victims were met with a .crypted file extension attached to the affected files however it appears the group started to lean into their malware’s newfound moniker and started encrypting files with the .kitty extension.



2 days after the CD Projekt RED Twitter post, it was reported that the HelloKitty group was auctioning off the source code for Cyberpunk2077 and The Witcher 3 and they claimed to have received an offer from outside of the hacking forum that the auctioning took place that “satisfied” them. However, it is noted that the sale was only made with the condition that the buyer never distribute the stolen source code to anyone else. Keep this in mind for later as it may be surprising to learn that the stolen source code shockingly found its way onto the Internet. It’s a shame to see that there truly is no honor among even professional cybercriminals. Screenshots of the HelloKitty auction post on the hacking forum indicated that their starting bid for the data was $1 million dollars,  with an immediate flash sale starting bid of $7 million.



Later in February CD Projekt provided some additional details to the public on the exact type of information that was stolen or affected by the attack. They also provided a list of actions taken by the company following the attack and there was no indication that CD Projekt made any attempt to contact the HelloKitty group to negotiate payment. Although CD Projekt’s refusal to negotiate with the attackers essentially ensured that any stolen data would be eventually leaked online by the HelloKitty group, it is always a breath of fresh air to see victims of ransomware decline to make any attempt to negotiate with their attackers or pay the ransom. We’ve been beating a dead horse for over a decade now trying to get it through the heads of victims that if ransomware groups had no reason to expect a ransom payment, there would be no further use for ransomware.


And as I just stated, later in June of 2021 CD Projekt published a follow-up article on their website which stated that they were made aware that some of the data that was stolen in the initial attack was now circulating on the internet. They did not provide any details on whether or not the leaked data was initially leaked on the Dark Web or simply on the regular internet and what the exact content of the data was.


Over the following months it was reported by various outlets that the HelloKitty ransomware group was involved in a number of breaches. Western Pathology Inc, a California based medical company was reportedly infected with HelloKitty ransomware according to evidence of a ransom note that was shared online by researchers.  I could not find any additional information on this attack in regard to whether or not the ransom was paid by the victim, however some technical details of the malware used in the attack are provided by the ID Ransomware blog post.



That was then followed up with more news that the HelloKitty operators were now deploying variants of the HelloKitty ransomware which targeted VMware ESXi environments. This was a sort of follow up to the threat actors deploying a version of the ransomware which also targeted Linux machines. MalwareHunterTeam provided a snapshot of some of the capabilities of this new strain, some of which showed attempts to kill running VMs on the victim hosts. The reasoning behind these new capabilities is that shutting down the VMs first allows the ransomware to encrypt the virtual machine disk files without the file experiencing any data corruption which would prevent successful restoration of the disk file upon payment of the ransom.


All in all, these developments seem to follow the pattern of most ransomware, attacking who they can, upgrading and customizing the malware when needed or when desired, and simply using all of the resources at their disposal to compromise as many victims as possible. The FBI published a FLASH alert in Oct of 2021 which provided new details on some of the more recent tactics and techniques currently being utilized by the HelloKitty actors which included DDoS attacks on the victim’s website to further incentivize payment.


Recent Activity:



As you’ve likely thought to yourself throughout the course of reading this blog post, why am I writing about the details of a random strain of ransomware whose heyday was all the way back in 2021? Well, I’m glad that you asked. 


In Oct of 2023 BleepingComputer reported that person going by the username “Gookee” or “kapuchin0” leaked the source code of the original or first version of the HelloKitty ransomware on a Russian-language dark web hacking forum. The reason behind the publishing of the source code for the original HelloKitty ransomware is unknown but I wouldn’t hesitate to guess that it was to establish Gookies credibility as the author. They also claimed to be working on a new version that would possess a more powerful encryptor. As the author of the BleepingComputer article states, although leaked source code for malware is great for security researchers to study and help us better understand the types of threats we are facing, the code also provides golden opportunities for other threat actors to take this now publicly available code and run with it, allowing them to gleefully use it for their own nefarious purposes.


Following this in 2024,  on April 19th it was reported by BleepingComputer that this same user who claimed to be the author of the HelloKitty ransomware group known as was announcing a disappointing rebrand of the cybersecurity world’s cutest ransomware strain to “HelloGookie” and along with that, released passwords for stolen CD Projekt RED source code from 2021 and additional stolen data from Cisco. The security researcher 3xp0rt provided screenshots of the forum posts made by the “Gookie” individual in which he directly claimed to be the “author” of the HelloKitty “project”. Although there is no way to verify if this person is actually the original author of the HelloKitty ransomware, his access to various passwords and other confidential data associated with the CD Projekt hack along with the leak of the original HelloKitty sourcecode back in Oct 2023 does greatly enhance his credibility. To follow up his new rebranding announcement “Gookie” also provided a link to his new .onion site which displayed on its homepage a pair of messages mocking Cisco and CD Projekt and another with private keys for some of the stolen data.



As is to be expected following the leak of the source code for the Witcher 3 to the broader Internet, it was only a matter of time before a group of technically savvy game enthusiasts compiled the game in its entirety using the stolen source code. According to the BleepingComputer article, a member of the group who compiled the Witcher 3 from the stolen code provided some details to the outlet of what exactly they were working with.


One representative of the group compiling Witcher 3 known as 'sventek' told BleepingComputer that the leaked CD Projekt data is 450 GB uncompressed and contains source code for Witcher 3, Gwent, Cyberpunk, various console SDK (PS4/PS5 XBOX NINTENDO), and some build logs.”


If you’re wondering why there is leaked data from Cisco on the supposed original author of HelloKitty’s new rebranded site when there was no reported HelloKitty Cisco breach, it is because in 2022 Cisco was in-fact the victim of a hack, but not by HelloKitty. They were instead the victims of the Yanluowang ransomware group. 



On Oct 31st 2022 the Yanluowang ransomware group’s .onion site was hacked by an unknown person who uploaded details of the hack to a Twitter account with the super creative name of yanluowangleaks. Along with details of the hack, they provided stolen dumps of chat logs from the .onion site which totaled around 2,700 messages sent between various users on the site from between January and September of 2022. The leak of these chat logs provided an incredible opportunity for security researchers to get a better understanding and deeper insight as to how a ransomware group operates behind the scenes. 


Reading through these logs, it becomes pretty clear that what we all expected to be the case is actually the case and that the Yanluowang ransomware gang isn’t actually Chinese. This seemed blatantly obvious from the beginning as Chinese ransomware gangs are fairly rare and even in those cases they are simply poorly constructed screens for one of the multitude of Chinese APT groups.


As expected, all of the chat logs were in Russian and the hackers at one point even admitted to using the Yanluowang name as a misdirection to trick researchers and the media into believing they were somehow connected to China.



At this point you’re probably wondering what this fake Chinese ransomware group has to do with HelloKitty. In May of 2022 the user we now refer to as “Gookie” appeared in the chat logs of the Yanluowang ransomware group’s website to negotiate with them and maybe even recruit some of them. The user “Gookie” or “Guki” made a plea to the Yanluowang hackers asking them if they would be willing to work together on “future compromises' '. This is noteworthy as though there is no direct evidence in the chat logs of the Yanluowang actors providing Gookie with the stolen Cisco data, there is now clear evidence a direct connection between Gookie, who claims to be the primary author of the HelloKitty ransomware, and the Yanluowang ransomware gang, who claimed responsibility for the Cisco hack back in 2022. There is no additional information on how Gookie obtained the stolen Cisco data but the only thing that matters at this point is that he now has it and this is a clear demonstration of the ongoing communication and cooperation that is happening on the dark web between different ransomware gangs on a daily basis.


Conclusion: 


So what have we learned? That threat actors enjoy teasing their victims and the public? That even double extortion ransoms can be thwarted by organizations who refuse to give into the demands of their attacker? That different threat actors regularly communicate and collaborate with one another on secret dark web Russian hacking forums? The reality is that there isn’t anything especially unique to the HelloKitty ransomware or its developers aside from its memorable name. It really is just another incarnation of the same behavior and TTPs that we have seen over the past few years from a variety of ransomware groups; double extortion, targeting Linux and ESXI environments, hosting dark web payment portals, rebranding, etc. There really isn’t anything novel about HelloKitty, and yet they managed to compromise very prominent victims and extort them for data that likely will cost them millions of dollars in the long run. It really doesn’t matter if one ransomware gang spends years developing the most state of the art sophisticated ransomware strain in the world when another group can develop their own mostly unoriginal strain that can wreak just as much havoc with a fraction of the effort. At the end of the day, what matters is the importance that potential victims place on employee training and network security. Yes, at the end of the day a 0-day exploit can bypass any amount of employee awareness and EDR/IDS/AV in the initial stages, but with the right amount of proactive monitoring and training, it really should only be a matter of time before your SOC detects this activity and halts it in its track before it is too late.


The moral of the story? Naming your malicious cyber weapon after a cute Sanrio character doesn't give it special powers, but it does make it slightly more memorable .


Note: Shoutout to my girlfriend for the inspiration to make this post in the first place <3
A capybara with an interest in security.

Comments

Post a Comment

Popular posts from this blog

TryHackMe CTF Walkthrough - "Simple CTF"

Image
Note: This is a reupload of a CTF walkthrough from my original website which no longer exists. Tonight I'll be providing a writeup on the TryHackMe box "Simple CTF" similar to my writeup on Blue. TryHackMe is another great and incredibly educational site dedicated to teaching learners about offensive and defensive cybersecurity. As always, it's typical to start with a basic Nmap scan.  This is one of the typical Nmap scans that I like to run on TryHackMe and HacktheBox machines. It will take longer than most scans due to the enumeration being performed by the vulnerability script. Another I will typically run is - nmap -sC -sV -A x.x.x.x This is an aggressive service scan with default scripts enabled. Here we have quite a bit of output, the bulk of it being a list of CVE's for the specific version of Apache web server running on the target machine. As we can see, Port 21 (FTP), Port 80 (HTTP), and Port 2222 (SSH) are currently open on the target machine. We can al...
Read more

Malware Overview - ZeuS

Image
 Note: This is a reupload of my writeup of the history of the ZeuS malware from my original website. INTRODUCTION:  Image Source:  https://www.bankinfosecurity.com/zeus-banking-trojan-spawn-alive-kicking-a-10471 When discussing the history of malware, you are more than likely going to hear the same few names over and over again. Conficker, Welchia, ILOVEYOU, Stuxnet, Flame, CryptoLocker, Dridex, and even newer malware like WannaCrypt0r, Emotet, and Maze.  What is left behind but stands atop the lesser remembered malware of the last fifteen years in particular is the ZeuS or Zbot Trojan and its successor, the Gameover ZeuS Trojan. This will be a historical summary of the ZeuS and Gameover ZeuS Trojans, beginning from its initial discovery and ending in the current year.  I will be using a variety of sources for my analysis. This is NOT a technical analysis of the malware, simply a historical account. I plan on writing a full technical analysis of the ZeuS and Gam...
Read more

Group Overview - Evil Corp

Image
This will be my first post in a series of posts summarizing various cyber actors, including APTs, Cybercrime outfits, and Hacktivist groups. I will be mainly discussing the history of the group and their known and documented activities throughout their existence. I plan on making additional summaries of each group that will delve further into their TTPs and other technical information to compliment this summary. The first group I will be discussing is the Evil Corp cybercrime outfit. The group is also known to many by the name INDRIK SPIDER, which was coined by the Cybersecurity company CrowdStrike. I decided to write about the Evil Corp group first due to the fact that they are still very relevant in 2020, as just a few days ago, Symantec published a report discussing a widespread attempted ransomware attack against various U.S. companies carried out by the Evil Corp group earlier this month. Evil Corp is an extremely sophisticated threat actor. They are capable of developing their ow...
Read more