An unidentified threat actor leaked the HelloKitty ransomware source code on a Russian-speaking hacking forum.
The publisher of the leaked source goes by the names ‘kapuchin0’ and ‘Gookee’ and claims that they are developing a more potent encryption tool. Based on reports, kapuchino shares the first batch of the HelloKitty ransomware encryptor. Moreover, they noted that ‘kapuchin0’ and ‘Gookee’ could only have one operator.
The threat actor named Gookee has been in various malicious activities in the past few months. One of the most notable attacks this actor participated in was the attempted selling of access to Sony Network Japan in 2020.
In addition, some researchers confirmed that this threat actor has connections to a Ransomware-as-a-Service operator called Gookee Ransomware. They have also attempted to sell various malware source codes on different hacker forums.
The two identities that published the HelloKitty ransomware source code could be the pioneer developers of the malicious tool.
Investigations reveal that there are clear signs that ‘kapuchin0’ or ‘Gookee’ is the original developer of HelloKitty ransomware since they have acquired a detailed source code of the malicious entity. In addition, these publishers explained that they had leaked the source since they wanted to develop a new product that is more dangerous than Lockbit.
The exposed file, named hellokitty.zip, stores a Microsoft Visual Studio solution for creating both the HelloKitty encryptor and decryptor, along with the NTRUEncrypt library used in this version of the ransomware to encrypt files.
Ransomware experts confirmed these leaked archives and claimed they are genuine source code for the HelloKitty ransomware used during its initial launch a few years ago.
The HelloKitty gang is notorious for breaching corporate networks, exfiltrating data, and encrypting systems. They leverage the encrypted files and stolen information for double-extortion schemes, threatening to leak sensitive information if they do not receive the ransom.
Furthermore, HelloKitty ransomware has also operated under different aliases, such as DeathRansom, Fivehands, and possibly Abyss Locker. The FBI published a comprehensive advisory containing indicators of compromise (IOCs) to help cybersecurity professionals and system admins defend against attacks perpetrated by the ransomware group. Unfortunately, these IOCs may have become outdated due to ransomware’s constantly changing encryption methods.
