{"id":73496,"date":"2022-11-17T09:54:40","date_gmt":"2022-11-17T01:54:40","guid":{"rendered":"https:\/\/x-phy.com\/?p=73496"},"modified":"2025-10-10T07:09:15","modified_gmt":"2025-10-10T07:09:15","slug":"hellokitty-ransomware-prevention-with-x-phy-ssd","status":"publish","type":"post","link":"https:\/\/x-phy.com\/hellokitty-ransomware-prevention-with-x-phy-ssd\/","title":{"rendered":"HelloKitty Ransomware Prevention with X-PHY SSD"},"content":{"rendered":"\t\t
\n\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

The HelloKitty ransomware (aka FiveHands), has its earliest traces from November 2020, discovered by FBI in January 2021, and has potential ties with the DeathRansom. This\u00a0Ransomware<\/a>\u00a0was highly active in December 2020, targeting organizations across multiple industries and countries. The ransomware demands a bitcoin payment written in a ransom note after\u00a0encrypting files<\/a>\u00a0on a system. It too uses the trending double extortion technique of threatening data destruction and confidentiality breach, extended to DDoS attacks on public facing assets in some cases. It means that upon failure to acquire a ransom payment, the victim\u2019s data will either be published on the Babuk site payload.bin or would be sold to a third-party data broker.<\/p>

\"\"<\/p>

Attack Vectors<\/h3>

How does the HelloKitty ransomware gain access to the victims? Well, it uses a number of attack vectors like using compromised credentials and recently patched security flaws in SonicWall<\/a> products (CVE-2021-20016, CVE-2021-20021, CVE-2021-20022, CVE-2021-2002). It may also use phishing emails or cause secondary infection from an initial malware attack. After initial access, HelloKitty operators use some common red team penetration tools like Cobalt Strike, Mandiant\u2019s Commando, or PowerShell Empire preloaded with tools like Bloodhound and Mimikatz. Using these for reconnaissance and data collection, they first map the network and escalate privileges before exfiltration and encryption.<\/p>

Attack Victims<\/h3>
Video Game Manufacturing – Poland<\/h5>

The most well-known attack by HelloKitty was on the systems of\u00a0CD Projekt Red<\/a>\u00a0in February 2021, that claimed to have stolen Cyberpunk 2077, Witcher 3, Gwent, and other games’ source code. It later claimed having sold the sensitive files to another threat actor. Below is the ransom note it left for CD Projekt Red on its encrypted machines:<\/p>

\"\"<\/p>

CEMIG Powerplant – Brazil<\/h5>

A Brazilian electric power company called\u00a0CEMIG<\/a>\u00a0(Companhia Energ\u00e9tica de Minas Gerais) announced falling victim to a cyber attack in December 2020. HelloKitty ransomware was involved as revealed later, and stole a huge volume of data from the company, causing suspension of the company\u2019s WhatsApp, SMS channels, and online app service.<\/p>

\"\"<\/p>

Healthcare Service – UK<\/h5>

Another HelloKitty attack targeted a UK Healthcare organisation earlier in January 2021. Below is the ransom note found on encrypted computers of the facility. The organization\u2019s name has been omitted.<\/p>

\"\"<\/p>

IT Service – France<\/h5>

Another French IT service was attacked around Christmas 2020, leaving another HelloKitty ransom note.<\/p>

\"\"<\/p>

In July 2021, the ransomware operators introduced a Linux variant for targeting VMware ESXi virtual machine platform, and its activity went up since July. Targeting enterprise virtual machines, the threat actors could encrypt multiple servers simultaneously, with a single command, saving time and effort.<\/p>

The FBI also shared an extensive collection of indicators of compromise (IOCs)<\/a>, as usually happens in case of any cyber attack chain.<\/p>

Attack Workflow<\/h3>

Once the ransomware is sent to the victim\u2019s computer via malspam campaigns, fake software updating tools, untrusted download sources, unofficial (third party) software activation tools and Trojans, the .exe file is executed on the system and the below workflow begins to unfold.<\/p>

1. Termination of processes and Windows services.<\/h5>

HelloKitty upon execution begins to terminate all processes and windows services that may interrupt its infection. These are usually associated with security, backup or accounting softwares, as well as email and database servers.<\/p>

\u00a02. Encryption of files with .KITTY or .CRYPTED file extensions.<\/h5>

On Windows systems, HelloKitty ransomware uses a combination of AES-128 + NTRU encryption. On Linux systems, it uses the combination AES-256 + ECDH. It appends the extension .kitty or .crypted to locked file names.<\/p>

3. Ransom note.<\/h5>

After encryption of files, it leaves a plain text ransom note on the desktop of victim machines. It addresses the victim, demands a ransom amount in BTC and gives further directions or bitcoin address. It usually contains a .onion URL that the victim can open using the Tor browser.<\/p>

4. Deletion of shadow copies.<\/h5>

After successful encryption, HelloKitty deletes shadow copies and backups of encrypted files from the affected systems. This is to make sure no data is retrieved from backups.<\/p>

HelloKitty; A Sample<\/h3>

Hundreds of Indicators of Compromise are circulating on threat forums to enable security teams to secure their assets based on signature-based detection. This means that firms reliant on IoCs may fall victim to new variants and only known IoCs can be blocked. Below is just one sample of the ransomware in SHA-256 algorithm.<\/p>

9a7daafc56300bd94ceef23eac56a0735b63ec6b9a7a409fb5a9b63efe1aa0b0<\/p>

\"\"<\/p>

This particular sample was detected as malicious by 58 out of 69 detection tools. It targets Intel 386 or later processors and compatible processors.<\/p>

Protection from HelloKitty Ransomware using X-Phy Cybersecurity SSD Protection<\/h3>

X-Phy AI-embedded cyber secure SSD is protected by all known and unknown cyber threats. It is designed to thwart all cyber attacks without signature-based detections. The SSD detects a malware or cyber attack in a matter of seconds and securely locks the device before attackers can access any data.<\/p>

Flexxon tested the HelloKitty ransomware on a X-PHY\u00ae<\/sup> SSD and a normal SSD to see the responses. In less than 5 seconds, X-PHY\u00ae<\/sup> stopped the attack dead in its tracks, locked all data keeping it untouched, and immediately notified the user via email and OTP.<\/p>

Testing with the normal SSD\/without the X-PHY<\/h3>

1<\/p>

\"\"
The HelloKitty ransomware is added to the device.<\/figcaption><\/figure>

2<\/p>

\"\"
The Hello Kitty ransomware is executed.<\/figcaption><\/figure>

3<\/p>

\"\"
After executing the HelloKitty ransomware, all the files are encrypted. The infected file names are ending with the extension .crypted.<\/figcaption><\/figure>

Testing with the X-PHY\u00ae<\/sup> SSD<\/h3>
\"\"
To protect from the ransomware attack, go to the X-PHY tool\u2019s configuration and enable the ransomware protection feature as well as the email alert.<\/figcaption><\/figure>
\"\"
After executing the Hi_Kitty_2 file, HelloKitty ransomware is detected and the X-PHY drive is locked, the device is shut down immediately to stop the ransomware\u2019s execution.<\/figcaption><\/figure>

\"\"<\/p>

To unlock X-PHY\u00ae<\/sup>, the user will have to use connected duo authentication to unlock X-PHY\u00ae<\/sup>, otherwise, it remains locked. After unlocking, X-PHY\u00ae will have recorded all events in the event log, and the user can now access data in a normal way.<\/p>

As attackers utilise more sophisticated attack techniques, it is becoming harder and harder for companies to stay ahead of the attacker\u2019s techniques and keep their data secure from cyberattacks. That\u2019s why we brought X-PHY\u00ae<\/sup> to you, it automatically detects suspicious behavior since it is highly trained with huge databases of malware to understand all possible behavior for malware.<\/p>

X-PHY\u00ae<\/sup> AI core is placed closest to your data and is highly trained to protect you from any threat that can touch your data.<\/p>

\"\"<\/p>

X-PHY\u00ae<\/sup> Response Flow<\/h3>