Contents:
It was in January 2021 when HelloKitty was identified as a ransomware operational group by the FBI; nevertheless, it looks like new data points to them being active since as early as November 2020.
The group is well known for breaking into and encrypting CD Projekt Red‘s networks in February and claiming to have stolen the source code for Cyberpunk 2077, Witcher 3, Gwent, and other titles.
What Happened?
The FBI issued a flash notice to private industry partners, alerting them that the HelloKitty ransomware gang (also known as FiveHands) has added distributed denial-of-service (DDoS) attacks to its arsenal of extortion tools.
The FBI claimed in a Friday notice coordinated with the Cybersecurity and Infrastructure Security Agency (CISA) that the ransomware organization would use DDoS assaults to take down its victims’ official websites if they didn’t pay the ransom.
The FBI first observed Hello Kitty/FiveHands ransomware in January 2021. Hello Kitty/FiveHands actors aggressively apply pressure to victims typically using the double extortion technique. In some cases, if the victim does not respond quickly or does not pay the ransom, the threat actors will launch a Distributed Denial of Service (DDoS) attack on the victim company’s public facing website. Hello Kitty/FiveHands actors demand varying ransom payments in Bitcoin (BTC) that appear tailored to each victim, commensurate with their assessed ability to pay it. If no ransom is paid, the threat actors will post victim data to the Babuk site (payload.bin) or sell it to a third-party data broker.
HelloKitty is also renowned for collecting and encrypting sensitive data from victims’ infected servers.
The stolen files are then used as leverage to persuade the victims to pay the ransom under the fear of the stolen material being leaked publicly on a data leak site.
In some cases, if the victim does not respond quickly or does not pay the ransom, the threat actors will launch a Distributed Denial of Service (DDoS) attack on the victim company’s public facing website.
Hello Kitty/FiveHands actors demand varying ransom payments in Bitcoin (BTC) that appear tailored to each victim, commensurate with their assessed ability to pay it. If no ransom is paid, the threat actors will post victim data to the Babuk site payload.bin) or sell it to a third-party data broker.
To access the targets’ networks, the group’s ransomware operators might make use of various tactics, including compromised credentials and newly fixed security holes in SonicWall products (e.g., CVE-2021-20016, CVE-2021-20021, CVE-2021-20022, CVE-2021-2002).
HelloKitty recently increased its activity in July and August, shortly after starting to use the Linux variant in assaults, according to submissions made by their victims on the ID Ransomware portal.