Cybersecurity experts have detected a concerning revival of the HelloKitty ransomware, with new variants actively targeting Windows, Linux, and ESXi environments simultaneously.
First observed in October 2020, HelloKitty has evolved from its origins as a DeathRansom ransomware fork, expanding its targeting capabilities and refining its attack techniques.
Security researchers have identified at least 11 new HelloKitty samples in circulation since September 2024, indicating a significant operational resurgence.
.png
)
The revamped ransomware maintains its core functionality of encrypting victim files and appending extensions such as “CRYPTED,” “CRYPT,” or “KITTY” to compromised data.
Unlike many ransomware families that prominently display their branding, HelloKitty customizes ransom notes to directly address victims by name, creating a more personalized extortion approach.
The ransomware employs Visual C++ coding and frequently utilizes UPK packing to compress executables and complicate reverse engineering efforts.
THE RAVEN FILE researchers identified that the latest HelloKitty variants display an unusual pattern of geographic dispersion, with many samples initially uploaded from Chinese IP addresses despite previous attribution suggestions linking the operation to Ukraine.
According to their comprehensive year-long research project analyzing HelloKitty samples, the malware has undergone significant technical modifications while maintaining its distinctive encryption approach.
The ransomware has demonstrated persistence across multiple years, with evidence of three distinct operational batches: the original 2020 deployment, a Christmas 2020 batch that shared characteristics with FiveHands ransomware, and the newest 2024 variants that show enhanced capabilities.
.webp)
While earlier campaigns primarily targeted gaming companies, healthcare services, and power generation facilities, the latest campaign appears to be casting a wider net across sectors.
Despite periods of dormancy, HelloKitty consistently returns with technical improvements.
Most recently, security analysts detected potential new variants in February 2025, suggesting ongoing development efforts even as older command and control infrastructure has disappeared from the dark web.
Sophisticated Encryption Mechanisms
HelloKitty’s encryption process represents one of its most technically advanced features, employing different approaches depending on the target environment.
On Windows systems, it implements a combination of AES-128 and NTRU encryption, while Linux environments face AES-256 paired with ECDH cryptography.
.webp)
The encryption process begins when HelloKitty embeds an RSA-2048 public key that serves dual purposes: it becomes the victim identifier (after SHA256 hashing) within the ransom note and functions as the encryption key for each file’s symmetric key.
HelloKitty generates a 32-byte seed value derived from the CPU timestamp, then produces a Salsa20 key to encrypt a second 32-byte seed.
These values undergo XOR operations to create the final 32-byte key that drives AES file encryption.
// Simplified representation of HelloKitty's key generation process
seed1 = GenerateFromCPUTimestamp(32); // 32-byte timestamp-based seed
seed2 = GenerateRandomBytes(32); // Second 32-byte seed
salsa20_key = DeriveSalsa20Key(seed1);
encrypted_seed2 = Salsa20Encrypt(seed2, salsa20_key);
final_key = XOR(seed1, encrypted_seed2); // Final AES encryption keyAfter encrypting each file, HelloKitty appends metadata including the original file size, a magic value of “DE C0 AD BA,” and the AES key (encrypted with the RSA public key).
The process concludes by adding four magic bytes “DA DC CC AB” to the encrypted file’s end, serving as a signature for files processed by the ransomware.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
