Pierluigi Paganini November 01, 2021

The US FBI has published a flash alert warning private organizations of the evolution of the HelloKitty ransomware (aka FiveHands).

The U.S. Federal Bureau of Investigation (FBI) has sent out a flash alert warning private industry of a new feature of the HelloKitty ransomware gang (aka FiveHands).

According to the alert, the ransomware gang is launching distributed denial-of-service (DDoS) attacks as part of its extortion activities.

“Hello Kitty/FiveHands actors aggressively apply pressure to victims typically using the double extortion technique. In some cases, if the victim does not respond quickly or does not pay the ransom, the threat actors will launch a Distributed Denial of Service (DDoS) attack on the victim company’s public facing website.” reads the flash alert.

The ransomware gang targets their victims’ websites with DDoS attacks if they refuse to pay the ransom. The HelloKitty ransomware group, like other ransomware gangs, implements a double extortion model, stealing sensitive documents from victims before encrypting them. Then the threat actors threaten to leak the stolen data to force the victim into paying the ransom.

The HelloKitty/FiveHands gang is known to demand varying ransom payments in Bitcoin (BTC) that are commensurate with the economic capabilities of the victims.

The group’s operators use several techniques to breach the targets’ networks, such as exploiting SonicWall flaws (e.g., CVE-2021-20016, CVE-2021-20021, CVE-2021-20022, CVE-2021-2002) or using compromised credentials.

“Once inside the network, the threat actor will use publicly available penetration tool suites such as Cobalt Strike, Mandiant’s Commando, or PowerShell Empire preloaded with publicly available tools like Bloodhound and Mimikatz to map the network and escalate privileges before exfiltration and encryption.” continues the alert.

The HelloKitty ransomware operators have been active since November 2020, since July, they are using a Linux variant of their malware to target VMware ESXi virtual machine platform.

The alert published by the FBI also includes a collection of indicators of compromise (IOCs) to help organizations to prevent HelloKitty infections.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]