Request a Demo
Rewterz
Stealthy New ResolverRAT Employs Advanced In-Memory Execution Techniques – Active IOCs
April 14, 2025
Rewterz
Chinese Cybercrime Group Conducts Large-Scale SMS Phishing Operation – Active IOCs
April 14, 2025

HelloKitty Ransomware Reemerges with Multiple Platform Attacks – Active IOCs

Severity

High

Analysis Summary

Cybersecurity experts have reported a resurgence of the HelloKitty ransomware, now targeting Windows, Linux, and ESXi systems simultaneously. Originally detected in October 2020 as a DeathRansom fork, HelloKitty has evolved with expanded targeting capabilities and more refined techniques. Since September 2024, at least 11 new samples have been identified, signaling significant operational growth.

The revamped ransomware retains its signature file encryption, appending extensions like “CRYPTED,” “CRYPT,” or “KITTY” to compromised data. Unlike many ransomware families, HelloKitty customizes ransom notes to victims individually, enhancing its extortion strategy. It is coded in Visual C++ and often uses UPK packing to thwart reverse engineering.

Interestingly, recent variants show a shift in geographic indicators, with many samples uploaded from Chinese IP addresses, contrasting earlier ties to Ukraine. Researchers highlighted that HelloKitty has undergone substantial technical upgrades while maintaining its core encryption style. Operationally, HelloKitty has emerged in three major waves: the initial 2020 batch, a Christmas 2020 variant linked to FiveHands ransomware, and the latest 2024–2025 samples showcasing broader sector targeting beyond gaming, healthcare, and power facilities.

Despite periods of dormancy, HelloKitty returns with enhanced capabilities. Analysts detected fresh variants as recently as February 2025, even though much of the older command and control infrastructure has vanished from the dark web.

Technically, HelloKitty’s encryption is sophisticated. On Windows, it uses AES-128 combined with NTRU encryption, while Linux systems face AES-256 with ECDH. The process starts with an RSA-2048 public key for victim identification and key encryption. It generates a 32-byte seed from the CPU timestamp, forming a Salsa20 key that encrypts another seed. Final AES keys are created via XOR operations, and encrypted files end with metadata and a distinct signature ("DA DC CC AB").

Impact

  • Data Theft
  • Financial Loss
  • Unauthorized Access

Indicators of Compromise

MD5

  • 4d854853a5fab3421e5713fd0b6fed42

  • a3dc8739c25b9b0c0348fc12fddcef65

  • eab47cbf897c7e9c2dc1009e11d1d928

  • dedaf87d9f14524ec3fe7c3d2e304bf5

  • 16153e9582cfe94a06fc670a5d851ed9

  • a169a146571b908a412ba8482adee8f1

SHA-256

  • af179b093adef005f85ed0c5e9a920381bf0993bd5fd2af393fe6551e3b934b4

  • 4b082cfa36133e66c3ed8918ed775bd656890c3c7373606d67e0ee9edd6aa3b4

  • 8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2

  • e22137c5b034e0bf022ee389b607d3e0cffdbb25355918135f1536a7e510442b

  • 192acfe0d55eef4c49cb7c803e7130d2f5ecd6bdee446f1c065ea6dee489ea6c

  • a022e86b2bb3ed6b4a8676be8b1688397b6e15c693e69c5093d8eb04396d2905

SHA1

  • 4810900a37237015a3097b8c5f45cc6cbfe285c2

  • 37fa81ea2346e2110715c604d451097b95bb4698

  • 0816c29d03f6612b053db52a245f6c0062967b5d

  • be8574663f31227d834bf3adc31c386533a7632c

  • 9a59a3310086462fd4bbf4781995464eb889974c

  • 47cd550be7567b8ff091fff32cd0d7c3c0e4f7d2

Remediation

  • Block all threat indicators at your respective controls.
  • Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
  • Disconnect infected devices from the internet and local networks immediately to prevent the ransomware from spreading.
  • Do not pay the ransom, paying does not guarantee file recovery and may encourage further attacks.
  • Use reputable antivirus or anti-malware software to detect and remove the ransomware from your system.
  • Restore files from clean backups if available, ensure backups are not connected to the infected network during restoration.
  • Update all software, operating systems, and firmware to their latest versions to patch known vulnerabilities.
  • Implement network segmentation to limit the spread of ransomware within your organization.
  • Conduct regular security audits and vulnerability assessments to identify and address potential security gaps.
  • Implement strict user access controls, granting permissions based on the principle of least privilege.
  • Develop and regularly update an incident response plan to effectively respond to ransomware attacks.
  • Monitor network traffic for unusual activity that may indicate a ransomware infection.
  • Regularly back up critical data and store backups offline or in a secure, isolated environment.