HelloKitty Ransomware Lacks Stealth, But Still Strikes Home

Game studio CD Projekt Red recently disclosed that it became a victim of a targeted, highly-impactful ransomware. In the days following the disclosure, it was revealed that the ransomware family most likely behind the attack was “HelloKitty”.

HelloKitty is a ransomware family that emerged in late 2020. While it lacks the sophistication of some of the more well-known families such as Ryuk, REvil, and Conti, it has nevertheless struck some notable targets, including CEMIG0. In this post, we analyse a recent HelloKitty sample and outline the basic behaviors and traits associated with this family of ransomware.

Execution and Behavior

The “HelloKitty” name is based on internal mutex names, which are apparent upon execution.

While still somewhat unclear, current intelligence indicates that the primary delivery method of HelloKitty binaries is via phish email or via secondary infection in conjunction with other malware.

Once launched, HelloKitty will attempt to disable and terminate a number of processes and services so as to reduce interference with the encryption process. This includes processes and services associated with IIS, MSSQL, Quickbooks, Sharepoint, and more. These actions are carried out via taskkill.exe and net.exe.

In the analyzed sample, this is all done in a very non-stealthy manner. All spawned CMD windows are in the foreground and fully visible. This ‘lack of discreteness’ is atypical for modern ransomware, or any successful malware, for that matter.

A full list of processes from the analyzed sample are listed below:

dsa*
Ntrtsca
ds_moni
Notifie
TmListe
iVPAgen
CNTAoSM
IBM*
bes10*
black*
robo*
copy*
store.e
sql*
vee*
wrsa*
wrsa.ex
postg*
sage*
MSSQLServerADHelper100
MSSQL$ISARS
MSSQL$MSFW
SQLAgent$ISARS
SQLAgent$MSFW
SQLBrowser
ReportServer$ISARS
SQLWriter
WinDefend
mr2kserv
MSExchangeADTopology
MSExchangeFBA
MSExchangeIS
MSExchangeSA
ShadowProtectSvc
SPAdminV4
SPTimerV4
SPTraceV4
SPUserCodeV4
SPWriterV4
SPSearch4
IISADMIN
firebirdguardiandefaultinstance
ibmiasrw
QBCFMonitorService
QBVSS
QBPOSDBServiceV12
"IBM Domino Server(CProgramFilesIBMDominodata)"
"IBM Domino Diagnostics(CProgramFilesIBMDomino)"
"Simply Accounting Database Connection Manager"
QuickBooksDB1
QuickBooksDB2
QuickBooksDB3
QuickBooksDB4
QuickBooksDB5
QuickBooksDB6
QuickBooksDB7
QuickBooksDB8
QuickBooksDB9
QuickBooksDB10
QuickBooksDB11
QuickBooksDB12
QuickBooksDB13
QuickBooksDB14
QuickBooksDB15
QuickBooksDB16
QuickBooksDB17
QuickBooksDB18
QuickBooksDB19
QuickBooksDB20
QuickBooksDB21
QuickBooksDB22
QuickBooksDB23
QuickBooksDB24
QuickBooksDB25

Additional processes and services that are terminated are identified via PID. For example:

taskkill.exe /f /PID "8512"
taskkill.exe /f /PID "8656"

If HelloKitty is unable to stop any specific processes or services, it will leverage the Windows Restart Manager API to further assist in termination.

HelloKitty will also utilize WMI to gather system details and help identify running processes and any potentially problematic processes. This is done both by name and by PID. A number of examples are shown below:

start iwbemservices::execquery - rootcimv2 : select __path, processid, csname, caption, sessionid, threadcount, workingsetsize, kernelmodetime, usermodetime, parentprocessid from win32_process

start iwbemservices::execquery - rootcimv2 : select __path, processid, csname, caption, sessionid, threadcount, workingsetsize, kernelmodetime, usermodetime, parentprocessid from win32_process where (  caption = "store.exe")

start iwbemservices::execquery - rootcimv2 : select __path, processid, csname, caption, sessionid, threadcount, workingsetsize, kernelmodetime, usermodetime, parentprocessid from win32_process where (  caption = "wrsa.exe")

start iwbemservices::execquery - rootcimv2 : select __path, processid, csname, caption, sessionid, threadcount, workingsetsize, kernelmodetime, usermodetime, parentprocessid from win32_process where (  processid = 3036)

start iwbemservices::execquery - rootcimv2 : select __path, processid, csname, caption, sessionid, threadcount, workingsetsize, kernelmodetime, usermodetime, parentprocessid from win32_process where (  processid = 4460)

start iwbemservices::execquery - rootcimv2 : select __path, processid, csname, caption, sessionid, threadcount, workingsetsize, kernelmodetime, usermodetime, parentprocessid from win32_process where (  processid = 3052)

start iwbemservices::execquery - rootcimv2 : select __path, processid, csname, caption, sessionid, threadcount, workingsetsize, kernelmodetime, usermodetime, parentprocessid from win32_process where (  processid = 4476)

start iwbemservices::execquery - rootcimv2 : select __path, processid, csname, caption, sessionid, threadcount, workingsetsize, kernelmodetime, usermodetime, parentprocessid from win32_process where (  processid = 1560)

start iwbemservices::execquery - rootcimv2 : select __path, processid, csname, caption, sessionid, threadcount, workingsetsize, kernelmodetime, usermodetime, parentprocessid from win32_process where (  processid = 8124)

start iwbemservices::exe

Encryption and Ransom Note

Encryption is initiated and completed very quickly once applicable services and processes have been terminated. Specific encryption recipes and routines can vary across variants of HelloKitty. Generally speaking, they tend to use a combination of AES-256 & RSA-2048 or even NTRU+AES-128.

Once encrypted, affected files receive the .crypted extension.

Ransom notes are typically customized to directly reference the victim and victim’s environment. Victims are instructed to visit a TOR-based payment and support portal. The following example has been sanitized:

It is also important to note that as of this writing, the onion address associated with HelloKitty ransom notes is not active.

6x7dp6h3w6q3ugjv4yv5gycj3femb24kysgry5b44hhgfwc5ml5qrdad.onion

Conclusion

HelloKitty may be easier to spot than other modern ransomware families, but upon execution it is no less dangerous. There are currently no known ‘weaknesses’ in the encryption routines, and there are no thirdy-party decrypters available for the HelloKitty ransomware. Therefore, the only true defense is prevention. While this family does not appear to be actively leaking victim data at the moment, that could change at any point, in addition to them choosing to adopt some of the more recent extortion methods that go along with ransomware (DDoS).

Actors behind the more recent campaign(s) are reportedly attempting to auction the CD Projekt data off in various ‘underground’ forums. At present this sale of this data does appear to be legitimate. Time will tell if additional victim data is dealt with in the same way.

To protect yourself against HelloKitty, make sure you are armed with a modern Endpoint Security platform, which is configured correctly and up to date. The SentinelOne Singularity Platform is fully capable of preventing and detecting all malicious behaviors associated with the HelloKitty ransomware family.

IOCs

SHA1
fadd8d7c13a18c251ded1f645ffea18a37f1c2de

SHA256
501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe

MITRE ATT&CK
Data from Local System – T1005
Modify Registry – T1112
Query Registry – T1012
System Information Discovery – T1082
Data Encrypted for Impact – T1486
File Deletion – T1070.004
Command and Scripting Interpreter: Windows Command Shell – T1059.003
Windows Management Instrumentation – T1047