A threat actor leaked the full source code of the first version of HelloKitty ransomware on a Russian-speaking hacking forum, claiming to be developing new, more powerful encryption.
The escape was discovered for the first time by cybersecurity researcher 3xp0rt, who detected a threat actor called ‘kapuchin0’ releasing the “first branch” of the HelloKitty ransomware encryptor.
While the source code was posted by someone named ‘kapuchin0’, 3xp0rt told BleepingComputer that the threat actor also uses the alias ‘Gookee’.
A threat actor called Gookee has previously been associated with malware and hacking activity. trying to sell access to Sony Network Japan in 2020, linked to a ransomware-as-a-service operation called ‘Gookee Ransomware’ and attempting to sell malware source code on a hacker forum.
3xp0rt believes that kapuchin0/Gookee is the developer of the HelloKitty ransomware, who now says: “We are preparing a new and much more interesting product than Lockbit.”
The released hellokitty.zip file contains a Microsoft Visual Studio solution that creates the HelloKitty encryptor and decryptor and the NTRUEncrypt library that this version of the ransomware uses to encrypt files.
Ransomware expert Michael Gillespie confirmed to BleepingComputer that this is the legitimate HelloKitty source code used when the ransomware operation was first launched in 2020.
While publishing ransomware source code can be useful for security research, making this code publicly available has its drawbacks.
As we saw when HiddenTear was released (for “educational reasons”) and the Babuk ransomware source code was released, threat actors quickly used the code to launch their own extortion operations.
To this day, more than nine ransomware operations continue to use Babuk’s source code as the basis for their own encryptions.
Who is HelloKitty?
HelloKity is a human-operated ransomware operation active since November 2020, when a victim posted on the BleepingComputer forums, and the FBI subsequently posted a PIN (private industry notification) to the group in January 2021.
The gang is known for hacking into corporate networks, stealing data and encrypting systems. The encrypted files and stolen data are then used as leverage in double extortion machines, where actors threaten to leak data if the ransom is not paid.
HelloKitty is known for numerous attacks and is used by other ransomware operations, but its most publicized attack was on CD Projekt Red in February 2021.
During this attack, threat actors claimed to have stolen the source code for Cyberpunk 2077, Witcher 3, Gwent, and other games, which they claimed was sold.
In summer 2021, the ransomware group began using a Linux variant targeting the VMware ESXi virtual machine platform.
HelloKitty ransomware or its variants have also been used under other names, including DeathRansom, Fivehands, and possibly Abyss Locker.
The FBI shared an extensive collection of Indicators of Compromise (IOCs) in its 2021 advisory to help cybersecurity professionals and system administrators protect against attack attempts coordinated by the HelloKitty ransomware gang.
However, as encryption has changed over time, these IOCs have likely become obsolete.