The U.S. Federal Bureau of Investigation (FBI) has released a flash alert containing some technical information on Hello Kitty (aka Five Hands and Death Kitty) ransomware attacks, as well as mitigations.
First observed in January 2021, the gang behind the Hello Kitty ransomware uses aggressive tactics such as double extortion to pressure victims into paying a ransom. In some cases, if the victim does not respond quickly or fails to pay the ransom, the threat actors will launch a Distributed Denial of Service (DDoS) attack on the victim company’s public facing website.
Earlier this year, the Hello Kitty ransomware was observed in attacks targeting the video game maker CD Project Red, South Africa’s state-owned ports and freight rail operator Transnet, and exploiting vulnerabilities in SonicWall appliances.
The threat actors demand varying ransom payments in Bitcoin tailored to each victim and, if no ransom is paid, they will publish stolen data to the Babuk site (payload.bin) or sell it to a third-party data broker, the FBI said.
To hack into the victim’s network the group uses compromised credentials or takes advantage of known vulnerabilities in SonicWall products such as CVE-2021-20016, CVE-2021-20021, CVE-2021- 20022, CVE-2021-20023.
“Once inside the network, the threat actor will use publicly available penetration tool suites such as Cobalt Strike, Mandiant’s Commando, or PowerShell Empire preloaded with publicly available tools like Bloodhound and Mimikatz to map the network and escalate privileges before exfiltration and encryption,” the alert reads.
The flash alert also provides Indicators of Compromise (IOCs) associated with Hello Kitty ransomware to help cybersecurity professionals and system administrators to defend against this threat.
