HELLOKITTY is a ransomware written in C++ that shares similar code structure and functionality with DEATHRANSOM and FIVEHANDS. HELLOKITTY has been used since at least 2020, targets have included a Polish video game developer and a Brazilian electric power company.^[1]

ID: S0617

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.0

Created: 03 June 2021

Last Modified: 18 October 2021

Techniques Used

Domain	ID	Name	Use
Enterprise	T1486	Data Encrypted for Impact	HELLOKITTY can use an embedded RSA-2048 public key to encrypt victim data for ransom.^[1]
Enterprise	T1490	Inhibit System Recovery	HELLOKITTY can delete volume shadow copies on compromised hosts.^[1]
Enterprise	T1135	Network Share Discovery	HELLOKITTY has the ability to enumerate network resources.^[1]
Enterprise	T1057	Process Discovery	HELLOKITTY can search for specific processes to terminate.^[1]
Enterprise	T1082	System Information Discovery	HELLOKITTY can enumerate logical drives on a target system.^[1]
Enterprise	T1047	Windows Management Instrumentation	HELLOKITTY can use WMI to delete volume shadow copies.^[1]

References

McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.

HELLOKITTY

Enterprise Layer

Techniques Used

References