HelloKitty ransomware encrypts user data AES-256 + RSA-2048 or AES-128 + NTRU and give a special onion domain link, instead of an email, to the user to contact for ransom negotiations. HelloKitty Ransomware is not as sophisticated as more well-known families such as Ryuk and REvil but upon execution, it is equally lethal. HelloKitty will attempt to disable and terminate a number of processes and services so as to reduce interference with the encryption process. This includes processes and services associated with IIS, MSSQL, Quickbooks, Sharepoint, and more. These actions are carried out via taskkill.exe and net.exe. This is all done in a very non-stealthy manner. All spawned CMD windows are in the foreground and fully visible. This 'lack of discreteness' is not usual for modern ransomware. Yet it is able to compromise CEMIG a power company and CD PROJEKT RED Gaming Studio.
Update: HelloKitty Ransomware Linux Variant is detected in the wild.
HelloKitty Ransomware Signatures
Family: Ransom.HelloKitty
MD5: 136bd70f7aa98f52861879d7dca03cf2
SHA256: 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe
HelloKitty Ransomware Download
