Punk Kitty Ransom - Analysing HelloKitty Ransomware Attacks
Updated: Feb 12
Yesterday, the company behind the gaming blockbuster Cyberpunk 2077 announced that it had been hit by a ransomware attack and the hackers claimed to have stolen source code for upcoming games. The most likely culprit at this time of the known ransomware groups is a group known as HelloKitty.
Below we have taken a look at previous HelloKitty attacks, and found a trail of victims. Previous attacks include potentially dangerous code to kill applications, including Industrial Control Systems. We also found links to earlier notable ransomware attacks.
Yesterday CD Projekt Red revealed they had fallen victim to a ransomware attack:
“"An unidentified actor gained unauthorized access to our internal network, collected certain data belonging to CD PROJEKT capital group, and left a ransom note the content of which we release to the public."
They join a number of other gaming companies to have recently suffered the same fate.
The ransomware note shared by CD Projekt Red
The Emsisoft CTO has suggested this may be the work of HelloKitty ransomware. That is based on the ransomware note and rare filename, and they caveat that it's not possible to be sure without seeing the ransomware itself. We'd concur with that caution. Whilst the notes are certainly familiar (as shown below) - they are custom for most victims and not an exact match. As an anti-virus with a track record of ransomware analysis, it's likely Emsisoft has seen samples of HelloKitty that we have not and have included that in their assessment.
With those caveats in hand - we took a look at previous HelloKitty attacks below.
Most Recent Attacks
The most recent attack we’ve seen from HelloKitty targeted a UK Healthcare organisation at the end of January 2021. Below is the ransomware note, with the name of the targeted organisation redacted:
It goes without saying that it is particularly irresponsible to be deploying targeted ransomware to organisations that provide key medical services during a global pandemic.
Christmas 2020 Attacks
Attackers are well aware of the importance timing can make to the impact of their attacks. Notably, Russian attackers successfully disabled Ukranian power networks for two consecutive Christmas Eve’s. The timing both left thousands of families without power on Christmas day, and only a skeleton crew at the power company to respond.
We’re aware of at least two, and likely more, attacks that HelloKitty delivered on Christmas Day 2020. They likely had access for some time before, but chose to deploy their ransomware on Christmas day for maximum impact.
“CEMIG informs that on December 25, 2020, the SOC (security operation nucleus) detected anomalous behavior on the internal network, with characteristics of a malicious ransomware attack. The teams responsible for the correct detection of the attack and subsequent adoption of the containment measures were immediately activated.
Less than 10% of servers on the Windows / Microsoft Hyper-V platform had their content encrypted. Workstations have also been partially compromised and are in the process of being verified. It is important to highlight that, thanks to the fast and effective containment action carried out by Cemig, the operation of the electrical system and the main databases (customers, billing, customer service and business management) were not compromised, thus guaranteeing the provision of services to our clients.”
The statement about the Hyper-V platform matches the ransomware note we’ve seen linked to the attack:
The CEMIG Ransomware note
Reportedly, CEMIG had restored their system within four days.
As normal with targeted ransomware, the attackers provided a chat link for CEMIG. The conversation was captured by the site ID Ransomware (RU). Based on the conversation, we think it is unlikely that CEMIG* decided to pay the ransom:
* Other analysts have pointed out that given the payment link was made public, this may not be CEMIG communicating with Hello Kitty.
But CEMIG was not the only target at Christmas. We’ve seen another HelloKitty ransomware note from a different target that was uploaded to the site VirusTotal.com on Christmas day 2020:
The ransom note to a French IT service (we have redacted the name)
One sample of HelloKitty, compiled on 26th December 2020, contains a large list of applications to terminate:
We were disturbed to see terminated applications included Industrial Control System software such as GE Proficy and Honeywell HMIWeb. Investigating this list, it appears it is copied from the MegaCortex/Ekans/Snake ransomware.
When the MegaCortex list was first identified it generated significant concern about the impact it could have on SCADA systems. However, more day to day applications such as backup software and accounting software are also terminated. As researchers noted at the time - the attackers seem concerned with stopping any software that may limit its impact, rather than specifically targeting SCADA.
Nonetheless it is concerning to see such careless code in a sample of malware, which was compiled at the same time that a Powerplant operator was enduring their attack.
Links to Earlier Campaigns
We quickly found links to the “TechStrat” ransomware identified in October 2020. The ransomware note is named the same (“read_me_lkdtt.txt”) as many HelloKitty ransomware notes. And the note itself is very similar to the note that was deployed to CEMIG:
Decompiling the code of a sample, shows it to also be extremely similar to other HelloKitty samples. It also contains the code to kill a range of applications that was borrowed from MegaCortex.
In addition, we (and others 1, 2) spotted possible overlaps with an earlier family called "DeathRansom". A quick review is shown from Intezer’s analysis and Antivirus vendors often detecting both HelloKitty ransomware binaries and notes as DeathRansom:
If so, that may be particularly interesting given that Fortinet tracked down the DeathRansom author in an involved blog post in January 2020.
Additionally, Emsisoft caveat here:
"Some analysts may refer to HelloKitty as DeathRansom, a strain of malware that was originally only capable of renaming files. Different versions of DeathRansom were later developed that could encrypt files in various ways. However, the relationship between DeathRansom and HelloKitty is still not fully clear."
It’s clear that HelloKitty is yet another set of targeted ransomware operators that have moved to threaten their victims with impact going beyond the immediate destruction of data. If they are indeed linked to the earlier DeathRansom attacks, they have improved significantly from their initial forays into ransomware. The first version didn't even encrypt anything. We have provided some suggested mitigation strategies below.
We have included a number of mitigation strategies that Cado Security recommends both for HelloKitty and ransomware in general:
Consider utilising separate IT systems (privileged access workstations) for used by network and system administrators. For these systems, utilise additional two-factor authentication and ensure there is no direct access to the Internet.
Consider employing an “allowed list” to restrict server outbound communications to IP’s / Domains that they need access to.
Consider storing backups of key business and critical IT infrastructure systems e.g. ActiveDirectory, off of your network.
Avoid opening up RDP services to the internet, if it's required consider using an ALLOW LIST approach only, and DENY all unknown IPs by default.
Ensure you have the ability to restore to a segregated network environment.
Ensure you have tested the restore capabilities of your backups.
About Cado Security
Cado Security specialises in providing tooling and techniques that allow organisations to threat hunt and investigate cloud and container systems. If you are interested in knowing more, please don’t hesitate to reach out, our pilot program is now open.
Updates to this Blog
12th February 2021:
- Updated to add link to Emsisoft's new blog post on 12th February
- Added reference to MalwareHunterTeam saying it may not be CEMIG communicating with Hello Kitty
Indicators of Compromise
T1059 Enterprise — Command and Scripting Interpreter
T1047 Execution — Windows Management Instrumentation
T1135 Discovery — Network Share Discovery
T1082 Discovery — System Information Discovery
T1124 Discovery — System Time Discovery
T1012 Discovery — Query Registry
T1045 Defense Evasion — Software Packing
T1486 Impact— Data Encrypted for Impact
T1490 Impact — Inhibit System Recovery