A flash alert was sent by the US Federal Bureau of Investigation (FBI) to warn private industries about the HelloKitty ransomware gang, also known as FiveHands, adding DDoS attack to their collection of extortion strategies. The warning also stressed that the threat actors would take down the website of their victims if they did not pay the ransom demands.
The HelloKitty ransomware also steals confidential files obtained through the victims’ compromised servers before they encrypt them. The stolen files will be used as bait to force victims to pay the ransom requests by threatening to leak them on the dark web or sell them to a third-party data broker.
If victims do not quickly respond to the HelloKitty ransomware attack, threat actors will then launch a DDoS attack against the public-facing website of the victim.
Ransom payments demanded by the HelloKitty ransomware vary depending on the victim’s ability to pay, such as Bitcoin if the victim can release the cryptocurrency asset. Threat actors are also using different methods of a network breach, such as compromised credentials and patched security defects in SonicWall products.
The HelloKitty ransomware group had been active in the cybercrime landscape since November last year. FBI discovered their existence by January 2021. They are known for performing data breaches and system encryptions against the CD Projekt Red last February, claiming to successfully steal Witcher 3, Cyberpunk 2077, and other source codes of video games. The ransomware group claimed that the stolen files from CD Projekt Red were already sold, but this claim was never verified.
Meanwhile, the HelloKitty ransomware group was also detected exploiting a Linux variant that attacks VMware’s ESXi virtual machine platform. Many ransomware groups have targeted Linux servers when enterprise targets have shifted to utilizing virtual machines for better productivity.
Ransomware groups can encrypt multiple servers at the same time after they begin targeting virtual machines, which has saved them effort and time. The performance of HelloKitty ransomware has seen a significant surge by July and August after using the Linux variant during attacks, based on victims’ submissions of the ID Ransomware platform.
Variants of the HelloKitty ransomware have also been under other names like FiveHands and DeathRansom.
