HelloKitty is a human-operated double-extortion ransomware family active since at least November 2020. It is used to compromise corporate networks, steal data, encrypt systems, and threaten public data leaks if victims do not pay. One of its most publicized incidents was the February 2021 attack on CD Projekt Red, where the operators claimed to have stolen source code for Cyberpunk 2077, Witcher 3, Gwent, and other games. The malware has also been deployed by other actors, including Vice Society, which has used preexisting ransomware strains such as HelloKitty in attacks and has disproportionately targeted the education sector. Microsoft also reported that DEV-0230 developed and deployed FiveHands and HelloKitty and often gained access through BazaLoader infrastructure.
The family has targeted both Windows and Linux environments. Reporting states that by summer 2021 the group began using a Linux variant targeting VMware ESXi, and HelloKitty is also listed among ransomware families targeting ESXi and other Linux systems. The malware can delete Volume Shadow Copies on compromised Windows hosts, including via WMI, to inhibit recovery. It can use an embedded RSA-2048 public key to encrypt victim data for ransom.
HelloKitty has been linked to exploitation-based deployment as well as hands-on intrusions. Researchers previously observed exploitation of Apache ActiveMQ CVE-2023-46604 to deploy HelloKitty ransomware in multiple customer environments. In those cases, affected organizations were running outdated ActiveMQ versions, and post-exploitation activity included attempts to load remote binaries named M2.png and M4.png via MSIExec; Rapid7 attributed the activity to HelloKitty based on the ransom note and evidence. HelloKitty has also been cited in reporting on ransomware activity targeting SonicWall SMA appliances, and SonicWall-related reporting noted prior targeting by HelloKitty ransomware.
The malware family is associated in reporting with the names DeathRansom and Fivehands, and may also be associated with Abyss Locker. Separate reporting states HelloKitty ransomware used against CD Projekt Red was reportedly built from DEATHRANSOM. In 2023, the complete source code for the first version of HelloKitty was leaked on a Russian-speaking hacking forum; researchers and Michael Gillespie assessed the leak as legitimate and matching the version used when the operation launched in 2020. The leaked archive reportedly contained a Microsoft Visual Studio solution for the encryptor and decryptor and the NTRUEncrypt library. Reporting also links the later Kraken ransomware group to remnants of the HelloKitty operation. Older FBI indicators of compromise may be outdated because the encryptor changed over time.