Skip to content
Ransomware group

HELLOKITTY

HelloKitty is a human-operated double-extortion ransomware family active since at least November 2020.

Profile source: Mallory opens in a new tab

HELLOKITTY

Family profile

HelloKitty is a human-operated double-extortion ransomware family active since at least November 2020. It is used to compromise corporate networks, steal data, encrypt systems, and threaten public data leaks if victims do not pay. One of its most publicized incidents was the February 2021 attack on CD Projekt Red, where the operators claimed to have stolen source code for Cyberpunk 2077, Witcher 3, Gwent, and other games. The malware has also been deployed by other actors, including Vice Society, which has used preexisting ransomware strains such as HelloKitty in attacks and has disproportionately targeted the education sector. Microsoft also reported that DEV-0230 developed and deployed FiveHands and HelloKitty and often gained access through BazaLoader infrastructure.

The family has targeted both Windows and Linux environments. Reporting states that by summer 2021 the group began using a Linux variant targeting VMware ESXi, and HelloKitty is also listed among ransomware families targeting ESXi and other Linux systems. The malware can delete Volume Shadow Copies on compromised Windows hosts, including via WMI, to inhibit recovery. It can use an embedded RSA-2048 public key to encrypt victim data for ransom.

HelloKitty has been linked to exploitation-based deployment as well as hands-on intrusions. Researchers previously observed exploitation of Apache ActiveMQ CVE-2023-46604 to deploy HelloKitty ransomware in multiple customer environments. In those cases, affected organizations were running outdated ActiveMQ versions, and post-exploitation activity included attempts to load remote binaries named M2.png and M4.png via MSIExec; Rapid7 attributed the activity to HelloKitty based on the ransom note and evidence. HelloKitty has also been cited in reporting on ransomware activity targeting SonicWall SMA appliances, and SonicWall-related reporting noted prior targeting by HelloKitty ransomware.

The malware family is associated in reporting with the names DeathRansom and Fivehands, and may also be associated with Abyss Locker. Separate reporting states HelloKitty ransomware used against CD Projekt Red was reportedly built from DEATHRANSOM. In 2023, the complete source code for the first version of HelloKitty was leaked on a Russian-speaking hacking forum; researchers and Michael Gillespie assessed the leak as legitimate and matching the version used when the operation launched in 2020. The leaked archive reportedly contained a Microsoft Visual Studio solution for the encryptor and decryptor and the NTRUEncrypt library. Reporting also links the later Kraken ransomware group to remnants of the HelloKitty operation. Older FBI indicators of compromise may be outdated because the encryptor changed over time.

Ransomware.live

Operational record

View group record ↗

Ransomware.live

Published indicators

Full source record ↗

Md5

52 total
  • 50363f811d630e8e3ceb84f6f3db066e
  • 28c5c992809fecdc82509dab19c0d90a
  • db804c3f55c5d09dace40c76c99cab52
  • ba35a80338fbf197a323f6fe960bf7cb
  • e333299d9f7e4c064746e177c84bb5c8
  • 87b418a1d8eaf648b6338af20407abbb
  • bd0802f8a9a71336607d5c9241db31d9
  • 06ce6cd8bde756265f95fcf4eecadbe9
  • 7ffaaaef5bcaf94756352b1fc866ef3d
  • 3342dc0e3aac48664341cd2fed82d8f0

Reported operators

Threat actors

4 named in public reporting
Vanilla Tempest

Rather than using or developing their own locker payload, Vice Society operators have deployed third-party ransomware in their intrusions, including HelloKitty, Five Hands, and Zeppelin.

DEV-0230

This activity group also developed and deployed the FiveHands and HelloKitty ransomware payloads and often gained access to an organization via DEV-0193’s BazaLoader infrastructure.

Gookee

A threat actor has leaked the complete source code for the first version of the HelloKitty ransomware on a Russian-speaking hacking forum, claiming to be developing a new, more powerful encryptor.

UNC2447

HELLOKITTY ransomware—used to target Polish video game developer CD Projekt Red—is reportedly built from DEATHRANSOM.

Exploited software

Vulnerabilities linked to HELLOKITTY

3 CVEs

MITRE ATT&CK

HELLOKITTY in ATT&CK

17 distinct techniques

Reporting

Research mentioning HELLOKITTY

Jan 17
The Hacker News

Black Basta Ransomware Leader Added to EU Most Wanted and INTERPOL Red Notice

Other members joined groups like BlackCat, Hive, AvosLocker, and HelloKitty...

Nov 20
Talos Intelligence

It’s not personal, it’s just business

...Kraken, a Russian-speaking group that has emerged from the remnants of the HelloKitty ransomware cartel.

Nov 14
Cyberthrone

Kraken and Zorab: New Menaces in the 2025 Ransomware Landscape

"Kraken ransomware has surfaced... linked to the remnants of the notorious HelloKitty ransomware cartel."

Nov 13
Bleeping Computer

Kraken ransomware benchmarks systems for optimal encryption choice

“The Kraken ransomware emerged at the begining of the year as a continuation of the HelloKitty operation…”

Aug 20
Scworld

Attackers patch 10.0 Apache ActiveMQ bug after gaining access to Linux systems

Threat actors have exploited the Apache ActiveMQ flaw for the past two years, dropping malware that ultimately spread TellYouThe Pass, RansomHub, and HelloKitty ransomware, along with the Kinsing malware, best known for targeting Linux systems to spread cryptominers.

Aug 19
Red Canary

Patching for persistence: How DripDropper Linux malware moves through the cloud | Red Canary

Security researchers have previously identified adversaries exploiting CVE-2023-46604 for malware deployment, to spread TellYouThePass, Ransomhub and HelloKitty ransomware...

Aug 19
The Hacker News

Apache ActiveMQ Flaw Exploited to Deploy DripDropper Malware on Cloud Linux Systems

"...including HelloKitty ransomware..."

Aug 19
Dark Reading

'DripDropper' Hackers Patch Their Own Exploit

"Multiple threat groups have exploited the same bug previously to spread ransomware and other malware, including TellYouThePass, HelloKitty, Ransomhub, and Kinsing."

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.