FBI’s investigation accidentally revealed the HelloKitty ransomware gang operates out of Ukraine

While investigating a data breach suffered by a healthcare organization, FBI accidentally revealed that it believes that the HelloKitty ransomware gang operates out of Ukraine.

The investigation conducted by FBI on a recent data breach suffered by an Oregon healthcare organization lead to the accidental revelation that the FBI believes that the HelloKitty ransomware gang (Five Hands) operates out of Ukraine.

“Oregon Anesthesiology Group, P.C. (OAG) experienced a cyberattack on July 11, after which we were briefly locked out of our servers.” reads the notice of data breach published by the Oregon Anesthesiology Group. “On October 21, the FBI notified OAG that it had seized an account belonging to HelloKitty, a Ukrainian hacking group, which contained OAG patient and employee files. The FBI believes HelloKitty exploited a vulnerability in our third-party firewall, enabling the hackers to gain entry to the network.”

The HelloKitty gang has been active since January 2021 and it is still active. In November, the US FBI has published a flash alert warning private organizations of the evolution of the HelloKitty ransomware (aka FiveHands). According to the alert, the ransomware gang is launching distributed denial-of-service (DDoS) attacks as part of its extortion activities.

The ransomware gang targets their victims’ websites with DDoS attacks if they refuse to pay the ransom. The HelloKitty ransomware group, like other ransomware gangs, implements a double extortion model, stealing sensitive documents from victims before encrypting them. Then the threat actors threaten to leak the stolen data to force the victim into paying the ransom.

The HelloKitty/FiveHands gang is known to demand varying ransom payments in Bitcoin (BTC) that are commensurate with the economic capabilities of the victims.

The group’s operators use several techniques to breach the targets’ networks, such as exploiting SonicWall flaws (e.g., CVE-2021-20016, CVE-2021-20021, CVE-2021-20022, CVE-2021-2002) or using compromised credentials.

In May, US CISA also published an analysis report (AR21-126A) on the FiveHands ransomware, anyway US authorities never disclosed the possible location of the gang.

The accidental revelation can now suggest the gang temporarily suspend its operations moving its activities to another country where local police will be more indulgent.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, HelloKitty ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]