April 16, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Stealthy New ResolverRAT Employs Advanced In-Memory Execution Techniques – Active IOCs
April 14, 2025Chinese Cybercrime Group Conducts Large-Scale SMS Phishing Operation – Active IOCs
April 14, 2025Stealthy New ResolverRAT Employs Advanced In-Memory Execution Techniques – Active IOCs
April 14, 2025Chinese Cybercrime Group Conducts Large-Scale SMS Phishing Operation – Active IOCs
April 14, 2025
Severity
High
Analysis Summary
Cybersecurity experts have reported a resurgence of the HelloKitty ransomware, now targeting Windows, Linux, and ESXi systems simultaneously. Originally detected in October 2020 as a DeathRansom fork, HelloKitty has evolved with expanded targeting capabilities and more refined techniques. Since September 2024, at least 11 new samples have been identified, signaling significant operational growth.
The revamped ransomware retains its signature file encryption, appending extensions like “CRYPTED,” “CRYPT,” or “KITTY” to compromised data. Unlike many ransomware families, HelloKitty customizes ransom notes to victims individually, enhancing its extortion strategy. It is coded in Visual C++ and often uses UPK packing to thwart reverse engineering.
Interestingly, recent variants show a shift in geographic indicators, with many samples uploaded from Chinese IP addresses, contrasting earlier ties to Ukraine. Researchers highlighted that HelloKitty has undergone substantial technical upgrades while maintaining its core encryption style. Operationally, HelloKitty has emerged in three major waves: the initial 2020 batch, a Christmas 2020 variant linked to FiveHands ransomware, and the latest 2024–2025 samples showcasing broader sector targeting beyond gaming, healthcare, and power facilities.
Despite periods of dormancy, HelloKitty returns with enhanced capabilities. Analysts detected fresh variants as recently as February 2025, even though much of the older command and control infrastructure has vanished from the dark web.
Technically, HelloKitty’s encryption is sophisticated. On Windows, it uses AES-128 combined with NTRU encryption, while Linux systems face AES-256 with ECDH. The process starts with an RSA-2048 public key for victim identification and key encryption. It generates a 32-byte seed from the CPU timestamp, forming a Salsa20 key that encrypts another seed. Final AES keys are created via XOR operations, and encrypted files end with metadata and a distinct signature ("DA DC CC AB").
Impact
- Data Theft
- Financial Loss
- Unauthorized Access
Indicators of Compromise
MD5
4d854853a5fab3421e5713fd0b6fed42
a3dc8739c25b9b0c0348fc12fddcef65
eab47cbf897c7e9c2dc1009e11d1d928
dedaf87d9f14524ec3fe7c3d2e304bf5
16153e9582cfe94a06fc670a5d851ed9
a169a146571b908a412ba8482adee8f1
SHA-256
af179b093adef005f85ed0c5e9a920381bf0993bd5fd2af393fe6551e3b934b4
4b082cfa36133e66c3ed8918ed775bd656890c3c7373606d67e0ee9edd6aa3b4
8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2
e22137c5b034e0bf022ee389b607d3e0cffdbb25355918135f1536a7e510442b
192acfe0d55eef4c49cb7c803e7130d2f5ecd6bdee446f1c065ea6dee489ea6c
a022e86b2bb3ed6b4a8676be8b1688397b6e15c693e69c5093d8eb04396d2905
SHA1
4810900a37237015a3097b8c5f45cc6cbfe285c2
37fa81ea2346e2110715c604d451097b95bb4698
0816c29d03f6612b053db52a245f6c0062967b5d
be8574663f31227d834bf3adc31c386533a7632c
9a59a3310086462fd4bbf4781995464eb889974c
47cd550be7567b8ff091fff32cd0d7c3c0e4f7d2
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Disconnect infected devices from the internet and local networks immediately to prevent the ransomware from spreading.
- Do not pay the ransom, paying does not guarantee file recovery and may encourage further attacks.
- Use reputable antivirus or anti-malware software to detect and remove the ransomware from your system.
- Restore files from clean backups if available, ensure backups are not connected to the infected network during restoration.
- Update all software, operating systems, and firmware to their latest versions to patch known vulnerabilities.
- Implement network segmentation to limit the spread of ransomware within your organization.
- Conduct regular security audits and vulnerability assessments to identify and address potential security gaps.
- Implement strict user access controls, granting permissions based on the principle of least privilege.
- Develop and regularly update an incident response plan to effectively respond to ransomware attacks.
- Monitor network traffic for unusual activity that may indicate a ransomware infection.
- Regularly back up critical data and store backups offline or in a secure, isolated environment.
