The HelloKitty ransomware (aka FiveHands), has its earliest traces from November 2020, discovered by FBI in January 2021, and has potential ties with the DeathRansom. This Ransomware was highly active in December 2020, targeting organizations across multiple industries and countries. The ransomware demands a bitcoin payment written in a ransom note after encrypting files on a system. It too uses the trending double extortion technique of threatening data destruction and confidentiality breach, extended to DDoS attacks on public facing assets in some cases. It means that upon failure to acquire a ransom payment, the victim’s data will either be published on the Babuk site payload.bin or would be sold to a third-party data broker.
Attack Vectors
How does the HelloKitty ransomware gain access to the victims? Well, it uses a number of attack vectors like using compromised credentials and recently patched security flaws in SonicWall products (CVE-2021-20016, CVE-2021-20021, CVE-2021-20022, CVE-2021-2002). It may also use phishing emails or cause secondary infection from an initial malware attack. After initial access, HelloKitty operators use some common red team penetration tools like Cobalt Strike, Mandiant’s Commando, or PowerShell Empire preloaded with tools like Bloodhound and Mimikatz. Using these for reconnaissance and data collection, they first map the network and escalate privileges before exfiltration and encryption.
Attack Victims
Video Game Manufacturing - Poland
The most well-known attack by HelloKitty was on the systems of CD Projekt Red in February 2021, that claimed to have stolen Cyberpunk 2077, Witcher 3, Gwent, and other games’ source code. It later claimed having sold the sensitive files to another threat actor. Below is the ransom note it left for CD Projekt Red on its encrypted machines:
CEMIG Powerplant - Brazil
A Brazilian electric power company called CEMIG (Companhia Energética de Minas Gerais) announced falling victim to a cyber attack in December 2020. HelloKitty ransomware was involved as revealed later, and stole a huge volume of data from the company, causing suspension of the company’s WhatsApp, SMS channels, and online app service.
Healthcare Service - UK
Another HelloKitty attack targeted a UK Healthcare organisation earlier in January 2021. Below is the ransom note found on encrypted computers of the facility. The organization’s name has been omitted.
IT Service - France
Another French IT service was attacked around Christmas 2020, leaving another HelloKitty ransom note.
In July 2021, the ransomware operators introduced a Linux variant for targeting VMware ESXi virtual machine platform, and its activity went up since July. Targeting enterprise virtual machines, the threat actors could encrypt multiple servers simultaneously, with a single command, saving time and effort.
The FBI also shared an extensive collection of indicators of compromise (IOCs), as usually happens in case of any cyber attack chain.
Attack Workflow
Once the ransomware is sent to the victim’s computer via malspam campaigns, fake software updating tools, untrusted download sources, unofficial (third party) software activation tools and Trojans, the .exe file is executed on the system and the below workflow begins to unfold.
1. Termination of processes and Windows services.
HelloKitty upon execution begins to terminate all processes and windows services that may interrupt its infection. These are usually associated with security, backup or accounting softwares, as well as email and database servers.
2. Encryption of files with .KITTY or .CRYPTED file extensions.
On Windows systems, HelloKitty ransomware uses a combination of AES-128 + NTRU encryption. On Linux systems, it uses the combination AES-256 + ECDH. It appends the extension .kitty or .crypted to locked file names.
3. Ransom note.
After encryption of files, it leaves a plain text ransom note on the desktop of victim machines. It addresses the victim, demands a ransom amount in BTC and gives further directions or bitcoin address. It usually contains a .onion URL that the victim can open using the Tor browser.
4. Deletion of shadow copies.
After successful encryption, HelloKitty deletes shadow copies and backups of encrypted files from the affected systems. This is to make sure no data is retrieved from backups.
HelloKitty; A Sample
Hundreds of Indicators of Compromise are circulating on threat forums to enable security teams to secure their assets based on signature-based detection. This means that firms reliant on IoCs may fall victim to new variants and only known IoCs can be blocked. Below is just one sample of the ransomware in SHA-256 algorithm.
9a7daafc56300bd94ceef23eac56a0735b63ec6b9a7a409fb5a9b63efe1aa0b0
This particular sample was detected as malicious by 58 out of 69 detection tools. It targets Intel 386 or later processors and compatible processors.
Protection from HelloKitty Ransomware using X-Phy Cybersecurity SSD Protection
X-Phy AI-embedded cyber secure SSD is protected by all known and unknown cyber threats. It is designed to thwart all cyber attacks without signature-based detections. The SSD detects a malware or cyber attack in a matter of seconds and securely locks the device before attackers can access any data.
Flexxon tested the HelloKitty ransomware on a X-PHY® SSD and a normal SSD to see the responses. In less than 5 seconds, X-PHY® stopped the attack dead in its tracks, locked all data keeping it untouched, and immediately notified the user via email and OTP.
Testing with the normal SSD/without the X-PHY
1
2
3
Testing with the X-PHY® SSD
To unlock X-PHY®, the user will have to use connected duo authentication to unlock X-PHY®, otherwise, it remains locked. After unlocking, X-PHY® will have recorded all events in the event log, and the user can now access data in a normal way.
As attackers utilise more sophisticated attack techniques, it is becoming harder and harder for companies to stay ahead of the attacker’s techniques and keep their data secure from cyberattacks. That’s why we brought X-PHY® to you, it automatically detects suspicious behavior since it is highly trained with huge databases of malware to understand all possible behavior for malware.
X-PHY® AI core is placed closest to your data and is highly trained to protect you from any threat that can touch your data.
X-PHY® Response Flow
- XPHY FORENSICTM AGENT features ACTIVE DETECTIVE and DEEP INVESTIGATION introduce extra file protection features by preventing any illegal data modifications. They also record all activities and their application, making it easy for X-PHY® to identify suspicious actors.
- XPHY GUARDTM THREAT LOCK features SECURITY SCOUT and GUARDIAN PRO-X work together to stop any attempt by the ransomware to breach or clone your sensitive data.
- After noticing suspicious activity to breach and/or to encrypt user data, it will trigger XPHY FACTOR ENCRYPTIONTM LOCK. KEYCODE 2-FACTOR feature within XPHY FACTOR ENCRYPTIONTM LOCK locks down all the data in X-PHY® making it inaccessible to the ransomware.
- X-PHY® SSD sends notification to the user in their computer showing that ransomware has been detected. An email notification is also sent to the user simultaneously through the user’s registered email. The user will require OTP to unlock the SSD.
- X-PHY® records the attack activity in the event log, and will automatically stop any action with the same behavior in the future.
- To unlock X-PHY®, the user will have to use connected duo authentication to unlock X-PHY®, otherwise, it remains locked. After unlocking, X-PHY® will have recorded all events in the event log, and the user can now access data in a normal way.
Conclusion
As cyberattacks grow in number and malware variants are introduced every single day, cybersecurity solutions reliant on IoCs are at a high risk of falling victim to a new malware. The consequences in case of ransomware attack include data deletion, loss of backup, extortion, confidentiality breach, etc. Therefore it is advisable that firms should switch to protection at the firmware level, the x-phy SSD that does not allow any unauthorized access.
