HELLOKITTY is a ransomware written in C++ that shares similar code structure and functionality with DEATHRANSOM and FIVEHANDS. HELLOKITTY has been used since at least 2020, targets have included a Polish video game developer and a Brazilian electric power company.[1]

ID: S0617
Platforms: Windows
Version: 1.0
Created: 03 June 2021
Last Modified: 18 October 2021

Techniques Used

Domain ID Name Use
Enterprise T1486 Data Encrypted for Impact

HELLOKITTY can use an embedded RSA-2048 public key to encrypt victim data for ransom.[1]

Enterprise T1490 Inhibit System Recovery

HELLOKITTY can delete volume shadow copies on compromised hosts.[1]

Enterprise T1135 Network Share Discovery

HELLOKITTY has the ability to enumerate network resources.[1]

Enterprise T1057 Process Discovery

HELLOKITTY can search for specific processes to terminate.[1]

Enterprise T1082 System Information Discovery

HELLOKITTY can enumerate logical drives on a target system.[1]

Enterprise T1047 Windows Management Instrumentation

HELLOKITTY can use WMI to delete volume shadow copies.[1]