The US Federal Bureau of Investigation (FBI) sent out a flash alert warning private sector partners that the HelloKitty ransomware gang (aka FiveHands) has added Distributed Denial of Service (DDoS) attacks to its arsenal of tactics extortion.
In a Friday notification coordinated with the Cybersecurity and Infrastructure Security Agency (CISA), the FBI said the ransomware group would remove the official websites of their victims during DDoS attacks if they did not comply with the ransom demands.
HelloKitty is also known to steal sensitive documents from victims’ compromised servers before encrypting them. The exfiltrated files are then used as leverage to pressure victims to pay the ransom under the threat of disclosing the stolen data online at a data breach site.
“In some cases, if the victim does not respond quickly or pay the ransom, the threat authors will launch a Distributed Denial of Service (DDoS) attack on the victim company’s public website,” the FBI said. . noted.
âThe Hello Kitty / FiveHands players demand variable Bitcoin (BTC) ransom payments that appear to be tailored to each victim, based on their assessed ability to pay. If no ransom is paid, the threat actors will post the victim’s data to the payload of the Babuk site. bin) or sell it to a third-party data broker. “
Group ransomware operators will use several methods to breach target networks, including compromised credentials and recently patched security holes in SonicWall products (e.g. CVE-2021-20016, CVE-2021-20021 , CVE-2021-20022, CVE-2021-2002).
Who is HelloKitty?
HelloKity is a human-operated ransomware operation, active since November 2020 and first observed by the FBI in January 2021.
The gang is primarily known for violating and encrypting Projekt Red CD systems in February and claim to have stolen source code for Cyberpunk 2077, Witcher 3, Gwent, and other games.
HelloKitty later claimed that someone purchased the stolen files from CD Projekt Red, although this was never confirmed.
Since at least July 2021, the ransomware gang has also been observed using a Linux variant that targets VMware’s ESXi virtual machine platform.
They are just one of many ransomware gangs targeting Linux servers after corporate targets migrated to using virtual machines for more efficient use of resources and easier device management.
By targeting their virtual machines, ransomware operators can now encrypt multiple servers simultaneously, with a single command, saving time and effort.
Based on the submissions made by their victims on the ID Ransomware platform, HelloKitty significantly increased its activity in July and August, immediately after starting to use the Linux variant in the attacks.
HelloKitty ransomware or its variants have also been used under other names including DeathRansom and Fivehands.
The FBI also shared a large collection of Indicators of Compromise (IOC) in its alert to help cybersecurity professionals and system administrators guard against coordinated attack attempts by the HelloKitty ransomware gang.