HelloKitty family tree
HelloKitty is reported to be a rebuild of DeathRansom, which was only bluff ransomware when it was first observed in 2019. Bluff ransomware is also called fake ransomware because it there’s no real file encryption, though there is usually a file locker that disrupts access to the files. File lockers are malware that targets the operating system functions and not the files. For example, there could be a lock screen on the workstation that prevents a user from interacting with the computer, or the files on a computer could be restricted with modified system permissions. DeathRansom didn’t even have a file locker when it first appeared. It simply renamed the files and left a ransom note. However, it was only a few weeks after their first attacks that DeathRansom became a fully operational ransomware threat. DeathRansom activity died down after a period of aggressive research into the group, though that may have been coincidental and not due to the results of the investigation.
HelloKitty has also been closely linked with FiveHands ransomware, which is also a novel rewrite of DeathRansom. FiveHands was a ransomware-as-a-service (RaaS) operation that also developed Thieflock ransomware. The operators of Thieflock were later linked to a newer group, Yanluowang ransomware. We’ll come back to Yanluowang in a minute.
Although HelloKitty was mentioned in the 2022 Cisco breach, that attack was formally attributed to an affiliate of UNC2447, Lapsus$, and Yanluowang. Cisco security teams detected the breach and purged the threat before ransomware could be deployed. Since there was no ransomware to analyze for this incident, Cisco teams reported on the known past behavior of threat actor UNC2447, saying it has consistently used “a variety of ransomware, including FIVEHANDS, HELLOKITTY, and more.”
In separate research on the 2021 SonicWall attacks, Mandiant researchers noted,
Based on technical and temporal observations of HELLOKITTY and FIVEHANDS deployments, Mandiant suspects that HELLOKITTY may have been used by an overall affiliate program from May 2020 through December 2020, and FIVEHANDS since approximately January 2021.
Mandiant has also published detailed comparisons of HelloKitty, FiveHands, and DeathRansom.
Now back to Yanluowang. This was a ransomware-as-a-service (RaaS) group that targeted U.S. companies of all types but primarily focused on financial companies. Threat actor ‘Saint’ represented Yanluowang in the crime forums and private messaging. In October 2022 the private chatlogs of Yanluowang were leaked to the public, revealing many new insights into the group. The interesting part for us is that Guki of HelloKitty was one of the most active members in the Yanluowang logs. One of the conversations included Guki asking Saint for assistance with future attacks. HelloKitty was ‘human-operated’ ransomware, and Guki didn’t have the manpower to leverage all the working credentials in his arsenal. Yanluowang was a RaaS group that could either buy his assets or give him a cut of any ransom collected through his data.
The Yanluowang group and Saint went quiet after the leak of the chatlogs in 2022.
Hello, LockBit
And now we are back to those HelloGookie forum posts.
Gookee/Guki/Kapuchin0 has been posting on the forums since at least early March 2024. A researcher (@3xp0rt) captured some of the posts: