S0617 HELLOKITTY
HELLOKITTY is a ransomware written in C++ that shares similar code structure and functionality with DEATHRANSOM and FIVEHANDS. HELLOKITTY has been used since at least 2020, targets have included a Polish video game developer and a Brazilian electric power company.1
| Item | Value |
|---|---|
| ID | S0617 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 03 June 2021 |
| Last Modified | 18 October 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1486 | Data Encrypted for Impact | HELLOKITTY can use an embedded RSA-2048 public key to encrypt victim data for ransom.1 |
| enterprise | T1490 | Inhibit System Recovery | HELLOKITTY can delete volume shadow copies on compromised hosts.1 |
| enterprise | T1135 | Network Share Discovery | HELLOKITTY has the ability to enumerate network resources.1 |
| enterprise | T1057 | Process Discovery | HELLOKITTY can search for specific processes to terminate.1 |
| enterprise | T1082 | System Information Discovery | HELLOKITTY can enumerate logical drives on a target system.1 |
| enterprise | T1047 | Windows Management Instrumentation | HELLOKITTY can use WMI to delete volume shadow copies.1 |