A threat actor recently posted the entire source code for the first version of the HelloKitty ransomware on Russian-language hacking forum, while claiming to be working on a new, more potent encryptor.
Security expert 3xp0rt initially noticed the leak when he saw threat actor kapuchin0 distributing the "first branch" of the HelloKitty ransomware encryptor.
While the source code was released by someone with the username kapuchino, the threat actor was also seen using the alias ‘Gookee.’
Gookee has previously been linked by security researchers with malware and hacking activity, where the threat actors were attempting to acquire access of Sony Network Japan in 2020. The attack was a Ransomware-as-a-Service (RaaS) operation, dubbed as ‘Gookee Ransomware,’ which was putting malware source code for sale on an underground forum.
According to 3cport, kapuchin0/Gookee is the developer of the HelloKitty ransomware, who claims to be developing, “a new product and much more interesting than Lockbit.”
The leaked hellokitty.zip archive include the HelloKitty encryptor and decryptor, as well as the NTRUEncrypt library that this variant of the ransomware utilizes to encrypt files, are built using a Microsoft Visual Studio solution.
Furthermore, ransomware expert Micheal Gillespie confirms that the leaks codes are in fact the real source code for HelloKitty, used initially when their ransomware operation launched in 2020.
HelloKitty is a human-operated ransomware operation that first came to light in November 2020 after its victims posted about it on the BleepingComputer forums. The FBI later released a PIN (private industry notification) on the group in January 2021.
The ransomware group is known for conducting corporate network hacks, stealing data, and encrypting systems. In double-extortion machines, when threat actors promise to release data if a ransom is not paid, the encrypted files and stolen data are then used as leverage.
HelloKitty is known for a number of attacks and has been utilized by other ransomware operations. One of the most high-profile attack conducted by HelloKitty is the one on CD Product Red executed in February 2021. Threat actors claimed to have stolen the source code for Cyberpunk 2077, Witcher 3, Gwent, and other games during this attack, which they said were sold later.