The U.S. FBI has sent out an alert warning private industry partners that the Hello Kitty ransomware gang has added distributed DDoS attacks to their arsenal of extortion tactics. Generally it’s known for stealing sensitive documents from victims’ compromised servers before encrypting them. The exfiltrated files are later used as leverage to pressure the victims into paying the ransom under the threat of leaking the stolen data online on a data leak site.

Advertisements

The CISA, the FBI said that the ransomware group would take their victims’ official websites down in DDoS attacks if they didn’t comply with the ransom demands. If the victim does not respond quickly or does not pay the ransom, the threat actors will launch a DDoS attack on the victim company’s public facing website.

Hello Kitty demand varying ransom payments in Bitcoin from each victim, commensurate with their assessed ability to pay it. If no ransom is paid, the threat actors will post victim data to the Babuk site (payload.bin) or sell it to a third-party data broker.

The group’s ransomware operators will use several methods to breach the targets’ networks, including compromised credentials and recently patched security flaws in SonicWall products (e.g., CVE-2021-20016, CVE-2021-20021, CVE-2021-20022, CVE-2021-2002).

Advertisements

The HelloKitty ransomware or its variants have also been used under other names including DeathRansom and Fivehands.

Indicators of Compromise