An attacker leaked the entire source code of the first version of the HelloKitty ransomware on a Russian-language hacker forum, claiming to have developed a new, stronger encryptor.

Leak first discovered Cybersecurity researcher 3xp0rt found that a threat actor named ‘kapuchin0’ had released the “first branch” of the HelloKitty encryptor. Although the source code has been made public by someone named ‘kapuchin0’, 3xp0rt told BleepingComputer that the threat also used the pseudonym Gookee.

An attacker named Gookee has previously been associated with malware and hacking, attempting to sell access to Sony Network Japan in 2020, was associated with a Ransomware-as-a-Service operation called “Gookee Ransomware” and attempted to sell the malware’s source code. on a hacker forum.

“We are preparing a new product that is much more interesting than Lockbit,” says 3xp0rt, who believes kapuchin0/Gookee is the developer of the HelloKitty ransomware.

The released hellokitty.zip archive contains the Microsoft Visual Studio solution that created the HelloKitty encrypter and decryptor and the NTRUEncrypt library that this version of the ransomware uses to encrypt files.

Ransomware expert Michael Gillespie confirmed to BleepingComputer that this was the legitimate HelloKitty source code used when the ransomware operation was first launched in 2020.

Releasing the source code of ransomware can be useful for security research, but making this code publicly available has its drawbacks. As we saw when HiddenTear was released (“for educational reasons”) and once the source code for the Babuk ransomware was released, attackers quickly used it to launch their own extortion operations.

To date, more than nine ransomware programs continue to use Babuk’s source code as the basis of their own encryptors.

Who is HelloKitty?

HelloKity is a human-driven ransomware that has been active since November 2020, when a victim posted on the BleepingComputer forum and the FBI later issued the PIN (Industry Special Notice) for the group in January 2021.

The gang is known for hacking corporate networks and stealing data and encryption systems. The encrypted files and stolen data are then used as leverage in double blackmail machines, where attackers threaten to leak data unless a ransom is paid.

HelloKitty is known for numerous attacks and has also been used in other ransomware operations, but the most publicized attack was the attack on CD Projekt Red in February 2021.

The attackers claimed that in this attack, they stole the source codes of Cyberpunk 2077, Witcher 3, Gwent and other games they claimed were sold.

In the summer of 2021, a ransomware group began using a Linux variant targeting the VMware ESXi virtual machine platform. HelloKitty ransomware or variants of it have also been used under other names, such as DeathRansom, Fivehands, and possibly Abyss Locker.

The FBI shared a broad collection of indicators of compromise (IOC) in its 2021 advisory to help cybersecurity professionals and system administrators defend against attack attempts coordinated by the HelloKitty ransomware group. However, since the password changes over time, these IOCs are likely to become outdated. Source