Rather than using or developing their own locker payload, Vice Society operators have deployed third-party ransomware in their intrusions, including HelloKitty, Five Hands, and Zeppelin.
HELLOKITTY
HelloKitty is a human-operated double-extortion ransomware family active since at least November 2020.
Profile source: Mallory opens in a new tabHELLOKITTY
Family profile
HelloKitty is a human-operated double-extortion ransomware family active since at least November 2020. It is used to compromise corporate networks, steal data, encrypt systems, and threaten public data leaks if victims do not pay. One of its most publicized incidents was the February 2021 attack on CD Projekt Red, where the operators claimed to have stolen source code for Cyberpunk 2077, Witcher 3, Gwent, and other games. The malware has also been deployed by other actors, including Vice Society, which has used preexisting ransomware strains such as HelloKitty in attacks and has disproportionately targeted the education sector. Microsoft also reported that DEV-0230 developed and deployed FiveHands and HelloKitty and often gained access through BazaLoader infrastructure.
The family has targeted both Windows and Linux environments. Reporting states that by summer 2021 the group began using a Linux variant targeting VMware ESXi, and HelloKitty is also listed among ransomware families targeting ESXi and other Linux systems. The malware can delete Volume Shadow Copies on compromised Windows hosts, including via WMI, to inhibit recovery. It can use an embedded RSA-2048 public key to encrypt victim data for ransom.
HelloKitty has been linked to exploitation-based deployment as well as hands-on intrusions. Researchers previously observed exploitation of Apache ActiveMQ CVE-2023-46604 to deploy HelloKitty ransomware in multiple customer environments. In those cases, affected organizations were running outdated ActiveMQ versions, and post-exploitation activity included attempts to load remote binaries named M2.png and M4.png via MSIExec; Rapid7 attributed the activity to HelloKitty based on the ransom note and evidence. HelloKitty has also been cited in reporting on ransomware activity targeting SonicWall SMA appliances, and SonicWall-related reporting noted prior targeting by HelloKitty ransomware.
The malware family is associated in reporting with the names DeathRansom and Fivehands, and may also be associated with Abyss Locker. Separate reporting states HelloKitty ransomware used against CD Projekt Red was reportedly built from DEATHRANSOM. In 2023, the complete source code for the first version of HelloKitty was leaked on a Russian-speaking hacking forum; researchers and Michael Gillespie assessed the leak as legitimate and matching the version used when the operation launched in 2020. The leaked archive reportedly contained a Microsoft Visual Studio solution for the encryptor and decryptor and the NTRUEncrypt library. Reporting also links the later Kraken ransomware group to remnants of the HelloKitty operation. Older FBI indicators of compromise may be outdated because the encryptor changed over time.
Ransomware.live
Operational record
Reported operators
Threat actors
4 named in public reportingThis activity group also developed and deployed the FiveHands and HelloKitty ransomware payloads and often gained access to an organization via DEV-0193’s BazaLoader infrastructure.
A threat actor has leaked the complete source code for the first version of the HelloKitty ransomware on a Russian-speaking hacking forum, claiming to be developing a new, more powerful encryptor.
HELLOKITTY ransomware—used to target Polish video game developer CD Projekt Red—is reportedly built from DEATHRANSOM.
Exploited software
Vulnerabilities linked to HELLOKITTY
3 CVEsMITRE ATT&CK
HELLOKITTY in ATT&CK
17 distinct techniquesTechniques
17 techniquesReporting
Research mentioning HELLOKITTY
Black Basta Ransomware Leader Added to EU Most Wanted and INTERPOL Red Notice
Other members joined groups like BlackCat, Hive, AvosLocker, and HelloKitty...
It’s not personal, it’s just business
...Kraken, a Russian-speaking group that has emerged from the remnants of the HelloKitty ransomware cartel.
Kraken and Zorab: New Menaces in the 2025 Ransomware Landscape
"Kraken ransomware has surfaced... linked to the remnants of the notorious HelloKitty ransomware cartel."
Kraken ransomware benchmarks systems for optimal encryption choice
“The Kraken ransomware emerged at the begining of the year as a continuation of the HelloKitty operation…”
Attackers patch 10.0 Apache ActiveMQ bug after gaining access to Linux systems
Threat actors have exploited the Apache ActiveMQ flaw for the past two years, dropping malware that ultimately spread TellYouThe Pass, RansomHub, and HelloKitty ransomware, along with the Kinsing malware, best known for targeting Linux systems to spread cryptominers.
Patching for persistence: How DripDropper Linux malware moves through the cloud | Red Canary
Security researchers have previously identified adversaries exploiting CVE-2023-46604 for malware deployment, to spread TellYouThePass, Ransomhub and HelloKitty ransomware...
Apache ActiveMQ Flaw Exploited to Deploy DripDropper Malware on Cloud Linux Systems
"...including HelloKitty ransomware..."
'DripDropper' Hackers Patch Their Own Exploit
"Multiple threat groups have exploited the same bug previously to spread ransomware and other malware, including TellYouThePass, HelloKitty, Ransomhub, and Kinsing."