Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label HelloKitty ransomware. Show all posts

HelloKitty Ransomware Renames to 'HelloGookie,' Unveils CD Projekt and Cisco Data

 

The operator behind the HelloKitty ransomware has rebranded it as 'HelloGookie,' with passwords for previously leaked CD Projekt source code, Cisco network data, and decryption keys from earlier attacks being released.

Identified as 'Gookee/kapuchin0,' the threat actor claims to be the original creator of the now-defunct HelloKitty ransomware, coinciding the rebranding with the launch of a new dark web portal for HelloGookie. To mark the occasion, four private decryption keys were disclosed, enabling the recovery of files from previous attacks, alongside internal data stolen from Cisco in 2022 and passwords for leaked CD Projekt source code.

Developers have already utilized the leaked Witcher 3 source code to compile the game, showcasing screenshots and videos of development builds. The leaked source code contains binaries to launch a developer build of Witcher 3, with efforts underway to compile the game from the source.

HelloKitty, initially launched in November 2020, garnered attention for targeting corporate networks, encrypting systems, and stealing data. Notably, the ransomware group breached CD Projekt Red in February 2021, encrypting servers and pilfering source code, including for Witcher 3.

In 2022, Yanluowang's data leak site was allegedly hacked, revealing conversations linking the group closely to the HelloKitty developer. Gookee/kapuchin0 subsequently leaked the HelloKitty builder and source code, signaling the end of operations. However, rebranded as HelloGookie, the threat actor has not disclosed new victims or evidence of recent attacks but released stolen data from prior breaches.

The leaked data includes NTLM hashes from Cisco's breach, indicating a closer relationship between HelloGookie and Yanluowang. Cisco acknowledged the incident, referring to a 2022 blog post by Cisco Talos detailing the security breach.

The future success and notoriety of HelloGookie remain uncertain, contrasting with the operational achievements of HelloKitty.

Threat Actor Release HelloKitty Ransomware Source Code on Hacking Forum

A threat actor recently posted the entire source code for the first version of the HelloKitty ransomware on Russian-language hacking forum, while claiming to be working on a new, more potent encryptor.

Security expert 3xp0rt initially noticed the leak when he saw threat actor kapuchin0 distributing the "first branch" of the HelloKitty ransomware encryptor.

While the source code was released by someone with the username kapuchino, the threat actor was also seen using the alias ‘Gookee.’

Gookee has previously been linked by security researchers with malware and hacking activity, where the threat actors were attempting to acquire access of Sony Network Japan in 2020. The attack was a Ransomware-as-a-Service (RaaS) operation, dubbed as ‘Gookee Ransomware,’ which was putting malware source code for sale on an underground forum.

According to 3cport, kapuchin0/Gookee is the developer of the HelloKitty ransomware, who claims to be developing, “a new product and much more interesting than Lockbit.”

The leaked hellokitty.zip archive include the HelloKitty encryptor and decryptor, as well as the NTRUEncrypt library that this variant of the ransomware utilizes to encrypt files, are built using a Microsoft Visual Studio solution.

Furthermore, ransomware expert Micheal Gillespie confirms that the leaks codes are in fact the real source code for HelloKitty, used initially when their ransomware operation launched in 2020.

What is HelloKitty Ransomware Operation?

HelloKitty is a human-operated ransomware operation that first came to light in November 2020 after its victims posted about it on the BleepingComputer forums. The FBI later released a PIN (private industry notification) on the group in January 2021. 

The ransomware group is known for conducting corporate network hacks, stealing data, and encrypting systems. In double-extortion machines, when threat actors promise to release data if a ransom is not paid, the encrypted files and stolen data are then used as leverage.

HelloKitty is known for a number of attacks and has been utilized by other ransomware operations. One of the most high-profile attack conducted by HelloKitty is the one on CD Product Red executed in February 2021. Threat actors claimed to have stolen the source code for Cyberpunk 2077, Witcher 3, Gwent, and other games during this attack, which they said were sold later.