HelloKitty: The ransomware affecting CD Projekt Red and Cyberpunk 2077
HelloKitty is one of the recent ransomware samples used to compromise CD Projekt Red and Cyberpunk. The name HelloKitty comes from the group that attacked CD Projekt Red and Cyberpunk 2077 on February 9, 2021. CD Projekt Red is a video game development studio behind Cyberpunk 2077 and The Witcher trilogy. It disclosed a ransomware incident that impacted its internal network and a large group of critical assets including the source code of its popular games.
"An unidentified actor gained unauthorized access to our internal network, collected certain data belonging to CD Projekt capital group, and left a ransom note the content of which we release to the public. Although some devices in our network have been encrypted, our backups remain intact. We have already secured our IT infrastructure and begun restoring the data," the company said in a statement it released.
Become a certified reverse engineer!
Figure 1: Official statement from CD Projekt Red on Twitter.
An overview of the HelloKitty ransomware
HelloKitty ransomware has been observed since November 2020 and targeted other large companies around the world, including the Brazilian power company CEMIG and a French IT service firm as well.
Figure 2: Ransomware notes dropped by HelloKitty ransomware.
By analyzing the HelloKitty sample, we can see that the timestamp and creation date suggests it was compiled in November 2020 and the export table updated on February 6, 2021, three days before the CD Projekt Red incident.
Figure 3: Timestamp of EAT and binary compilation.
The malware uses crypto calls from ADVAPI32.dll to encrypt the victims’ files and also deletes all the files available in the trash (SHEmptyRecycleBinA).
Digging into the details of HelloKitty
The name HelloKitty comes from its mutex name called “HelloKittyMutex” created when the malware is executed. Figure 4 below shows the blocks of code responsible for creating the mutex: ds: CreateMutexW.
Figure 4: HelloKittyMutex created when the ransomware is executed.
Curiously, the ransomware opens a shell terminal exhibiting the output while it is executed. This is not a common behavior observed in many pieces of ransomware, but that can help to identify samples of this particular family of threats.
Figure 5: Output of the ransomware activity presented during run-time.
First, HelloKitty searches for files inside the system folder tree and then encrypts all the files adding a new extension: .crypted. Also, a ransom note file dubbed “read_me_lkdtt.txt” file is dropped into every folder it accesses.
Figure 6: File encryption and ransomware note. HelloKitty ransomware.
Additionally, HelloKitty repeatedly runs taskkill.exe to terminate processes associated with security software, email servers, database servers, backup software and accounting software. some commands are presented below.
Figure 7: Part of the services stopped by HelloKitty ransomware.
During the encryption process, if the ransomware finds locked files, it then encrypts those files using the Windows Restart Manager API to instantly terminate processes or Windows services that are in use by other applications.
The ransom note is customized, including the volume of compromised and exfiltrated data, and also the name of the target firm. This is a clear indicator that criminals navigate for days through the internal infrastructure, compromising a lot of systems, and finally deploying the ransomware to terminate the kill chain.
Figure 8: Ransomware note with instructions and onion link.
Finally, the criminals are waiting for a contact from the victim’s side in a chat available over the TOR network. This is a normal behavior used for recent ransomware groups such as Ragnar Locker.
Figure 9: HelloKitty chat available over the Tor network.
Become a certified reverse engineer!
Dealing with HelloKitty
Criminals compromise victims’ networks and exfiltrate confidential documents while moving laterally in the infrastructure. Once the domain controller (DC) is compromised, crooks spread the ransomware throughout the infrastructure to end the infection chain and thus damage all devices upon the active directory and other valuable assets available on the network.
In this sense, monitoring the use of endpoint security solutions, updated antivirus and the increasing use of canary files are some mechanisms that could prevent the dissemination of these kinds of threats through a corporative network.
Sources:
HelloKitty ransomware, Computer Weekly
Ragar Locker, Segurança Informática
Ransomware deletion methods, Infosec Institute
- Exam Pass Guarantee
- Live expert instruction
- Hands-on labs
- CREA exam voucher
In this Series
- HelloKitty: The ransomware affecting CD Projekt Red and Cyberpunk 2077
- How AsyncRAT is escaping security defenses
- Chrome extensions used to steal users' secrets
- Luna ransomware encrypts Windows, Linux and ESXi systems
- Bahamut Android malware and its new features
- LockBit 3.0 ransomware analysis
- AstraLocker releases the ransomware decryptors
- Analysis of Nokoyawa ransomware
- Goodwill ransomware group is propagating unusual demands to get the decryption key
- Dangerous IoT EnemyBot botnet is now attacking other targets
- Fileless malware uses event logger to hide malware
- Nerbian RAT Using COVID-19 templates
- Popular evasion techniques in the malware landscape
- Sunnyday ransomware analysis
- 9 online tools for malware analysis
- Blackguard malware analysis
- Behind Conti: Leaks reveal inner workings of ransomware group
- ZLoader: What it is, how it works and how to prevent it | Malware spotlight [2022 update]
- WhisperGate: A destructive malware to destroy Ukraine computer systems
- Electron Bot Malware is disseminated via Microsoft's Official Store and is capable of controlling social media apps
- SockDetour: the backdoor impacting U.S. defense contractors
- HermeticWiper malware used against Ukraine
- MyloBot 2022: A botnet that only sends extortion emails
- Mars Stealer malware analysis
- How to remove ransomware: Best free decryption tools and resources
- Purple Fox rootkit and how it has been disseminated in the wild
- Deadbolt ransomware: The real weapon against IoT devices
- Log4j - the remote code execution vulnerability that stopped the world
- Rook ransomware analysis
- Modus operandi of BlackByte ransomware
- Emotet malware returns
- Mekotio banker trojan returns with new TTP
- Android malware BrazKing returns
- Malware instrumentation with Frida
- Malware analysis arsenal: Top 15 tools
- Redline stealer malware: Full analysis
- A full analysis of the BlackMatter ransomware
- A full analysis of Horus Eyes RAT
- REvil ransomware: Lessons learned from a major supply chain attack
- Pingback malware: How it works and how to prevent it
- Android malware worm auto-spreads via WhatsApp messages
- Malware analysis: Ragnarok ransomware
- Taidoor malware: what it is, how it works and how to prevent it | malware spotlight
- SUNBURST backdoor malware: What it is, how it works, and how to prevent it | Malware spotlight
- ZHtrap botnet: How it works and how to prevent it
- DearCry ransomware: How it works and how to prevent it
- How criminals are using Windows Background Intelligent Transfer Service
- How the Javali trojan weaponizes Avira antivirus
- DreamBus Botnet: An analysis
- Kobalos malware: A complex Linux threat
- What is Operation Dream Job by Lazarus?
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Malware analysis
Malware analysis
Malware analysis
Malware analysis