THE RAVEN FILE researchers identified that the latest HelloKitty variants display an unusual pattern of geographic dispersion, with many samples initially uploaded from Chinese IP addresses despite previous attribution suggestions linking the operation to Ukraine. The ransomware has demonstrated persistence across multiple years, with evidence of three distinct operational batches: the original 2020 deployment, a Christmas 2020 batch that shared characteristics with FiveHands ransomware, and the newest 2024 variants that show enhanced capabilities. The encryption process begins when HelloKitty embeds an RSA-2048 public key that serves dual purposes: it becomes the victim identifier (after SHA256 hashing) within the ransom note and functions as the encryption key for each file’s symmetric key. After encrypting each file, HelloKitty appends metadata including the original file size, a magic value of “DE C0 AD BA,” and the AES key (encrypted with the RSA public key). Cybersecurity experts have detected a concerning revival of the HelloKitty ransomware, with new variants actively targeting Windows, Linux, and ESXi environments simultaneously. First observed in October 2020, HelloKitty has evolved from its origins as a DeathRansom ransomware fork, expanding its targeting capabilities and refining its attack techniques. Unlike many ransomware families that prominently display their branding, HelloKitty customizes ransom notes to directly address victims by name, creating a more personalized extortion approach. According to their comprehensive year-long research project analyzing HelloKitty samples, the malware has undergone significant technical modifications while maintaining its distinctive encryption approach. Security researchers have identified at least 11 new HelloKitty samples in circulation since September 2024, indicating a significant operational resurgence. The revamped ransomware maintains its core functionality of encrypting victim files and appending extensions such as “CRYPTED,” “CRYPT,” or “KITTY” to compromised data. The process concludes by adding four magic bytes “DA DC CC AB” to the encrypted file’s end, serving as a signature for files processed by the ransomware. Most recently, security analysts detected potential new variants in February 2025, suggesting ongoing development efforts even as older command and control infrastructure has disappeared from the dark web. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. HelloKitty generates a 32-byte seed value derived from the CPU timestamp, then produces a Salsa20 key to encrypt a second 32-byte seed. On Windows systems, it implements a combination of AES-128 and NTRU encryption, while Linux environments face AES-256 paired with ECDH cryptography.
This Cyber News was published on cybersecuritynews.com. Publication date: Sun, 13 Apr 2025 13:10:13 +0000