Skip to Content

Hello Kitty Ransomware

Today I want to take a closer look at a specific ransomware variant – Hello Kitty ransomware. This one is interesting to me because it was one of the first ransomware strains I really looked at and researched, when the Linux variant began to target ESXi in Summer 2021.

You can see some of my initial thoughts on it here:

@vmiss33 My first tiktok! #fyp #vmware #ransomware #techtok #infosec ♬ original sound – vmiss

Now let’s take a closer look at some of the background, and why it is a threat.

What is Hello Kitty Ransomware?

Hello Kitty is also sometimes called FiveHands, but let’s face it, I’m going to start with the Hello Kitty here. It earned itself a FBI Flash Released in October of 2021, but the FBI first started paying attention in January of 2021

Now here’s the interesting part, Hello Kitty began to attack ESXi during the summer of 2021. What is it that made this strain pick up some steam and get the notice of the FBI?

Here’s the interesting part, it wasn’t ESXi that started to get the attention of the FBI. Hello Kitty began to target SonicWalls, which is what made everyone so nervous.

I mean if a ransomware group is targeting what it supposed to protect you, that usually is a good indicator you’re in trouble.

Also interesting is that Hello Kitty would basically launch a DDoS attack if you didn’t pay the ransom. Another tactic to get people to pay – because remember, that is the name of the game at the end of the day.

Hello Kitty is written in C++.

If you’re looking for a good technical breakdown of how Hello Kitty works, you can read a detailed malware analysis here by soolidsnake

Earlier Activity of Hello Kitty

Hello Kitty has had some interesting activity, before they even began to launch DDoS attacks or attack ESXi.

They also compromised the Project Red game studio, which is well known for Cyberpunk 2077. The good news is that Project Red was able to recover from backups, although data was stole.

Hello Kitty Key Activities

Here is the timeline of some key activities of Hello Kitty.

November 2020 – First Observed in the Wild

January 2021 – FBI starts paying attention

February 2021 – Hello Kitty hits Projekt Red (Windows based attack)

July 2021 – Hello Kitty Linux variant being to target ESXi, Hello Kitty targets vulnerable SonicWall devices

October 2021 – FBI Flash notice released

Why this all matters

We’ve been seeing a huge increase in mutliplatform ransomware in recent months, however there are many out there that do not realize this. Hello Kitty was one of the first that targeted ESXi specifically, which is what drew my attention to it.

This of course decreases the level of effort needed to wreak havoc, and maximizes destruction.

The next troubling thing is the focus on the vulnerable SonicWall products. This is just another sign that threat actors are always looking to exploit new vulnerabilities and rapid remediation is important.

Finally is the fact that they will simply DDoS attack victims if they don’t pay. Remember, the name of the game is get the victims to pay the ransom.

One thing I have noticed is that there is a big focus on protection for Windows, specifically Windows servers when it comes to ransomware.

A true strategy to reduce the risk of ransomware focuses on more than just a Windows server. It is about reducing the existing security risks in an environment, as well as being sure that you can recover when you are hit.

Exfiltration adds another interesting lawyer, because this is where detection becomes critical. The faster you can detect a malicious actor in an environment, the less data they are able to steal. Again, this becomes a case of trying to protect the most critical and “worth while” data versus protecting everything.

Stay tuned for more write-ups and thoughts on some of my favorite ransomware variants.