HelloKitty is a ransomware group operated with a great deal of human interaction which has been active since November 2020. The groups’ notoriety comes from infiltrating corporate networks, stealing data, and encrypting systems to demand ransoms to include double extortion. One of their most significant attacks was on CD Projekt Red in February 2021, where they claimed to have stolen source code for games like Cyberpunk 2077 and Witcher 3. In the summer of 2021, they expanded their targets to include the VMware ESXi virtual machine platform using a Linux variant. They've also operated under various aliases, such as DeathRansom, Fivehands, and possibly Abyss Locker.
Recently, the HelloKitty source code was discovered on a Russian-speaking hacking forum, leaked by an individual using the alias 'kapuchno,' who is believed to be the ransomware's developer. This leaked archive contains tools to build the HelloKitty encryptor and decryptor and the NTRUEncrypt library used for file encryption.
While revealing ransomware source code can benefit cybersecurity research, it also has downsides. Similar cases, like the release of HiddenTear for "educational purposes" and the Babuk ransomware source code, led to threat actors quickly using the code for their attacks. Surprisingly, even today, more than nine ransomware operations use the Babuk source code as the basis for their encryption software.
Maintaining awareness about threat actors' adaptability through code modification in ransomware campaigns is a crucial part of a comprehensive cybersecurity strategy. Members are encouraged to remain vigilant, implement effective security measures, and actively defend against evolving threats, ultimately enhancing overall cybersecurity defenses. For more, check out BleepingComputer.