{
	"id": "d39c0ea6-d168-4cb9-aa8a-1adae01e9d0b",
	"created_at": "2026-04-06T00:21:04.889632Z",
	"updated_at": "2026-04-10T03:36:17.319758Z",
	"deleted_at": null,
	"sha1_hash": "2306cc2f08befab0e3a1ccbf3cdaafb787d438ad",
	"title": "HelloKitty ransomware is targeting vulnerable SonicWall devices",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1358816,
	"plain_text": "HelloKitty ransomware is targeting vulnerable SonicWall devices\r\nBy Sergiu Gatlan\r\nPublished: 2021-07-17 · Archived: 2026-04-05 23:35:41 UTC\r\nCISA warns of threat actors targeting \"a known, previously patched, vulnerability\" found in SonicWall Secure Mobile\r\nAccess (SMA) 100 series and Secure Remote Access (SRA) products with end-of-life firmware.\r\nAs the US federal agency also adds, the attackers can exploit this security vulnerability as part of a targeted ransomware\r\nattack.\r\nThis alert comes after SonicWall issued an \"urgent security notice\" and sent emails to warn customers of the \"imminent risk\r\nof a targeted ransomware attack.\" \r\nhttps://www.bleepingcomputer.com/news/security/hellokitty-ransomware-is-targeting-vulnerable-sonicwall-devices/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/hellokitty-ransomware-is-targeting-vulnerable-sonicwall-devices/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nEven though the company said the risk of ransomware attacks is imminent, Coveware CEO Bill Siegel confirmed CISA's\r\nwarning saying that the campaign is ongoing. \r\nCISA urges users and administrators to review the SonicWall security notice and upgrade their devices to the latest firmware\r\nor immediately disconnect all end-of-life appliances.\r\nHelloKitty ransomware: one of the groups behind these attacks\r\nWhile CISA and SonicWall did not reveal the identity of the threat attackers behind these attacks, BleepingComputer was\r\ntold by a source in the cybersecurity industry that HelloKitty has been exploiting the vulnerability for the past few weeks.\r\nCybersecurity firm CrowdStrike also confirmed to BleepingComputer that the ongoing attacks are attributed to multiple\r\nthreat actors, including HelloKitty.\r\nHelloKity is a human-operated ransomware operation active since November 2020, mostly known for encrypting the\r\nsystems of CD Projekt Red and claiming to have stolen Cyberpunk 2077, Witcher 3, Gwent, and other games' source code.\r\nEven though the bug abused to compromise unpatched and EOL SMA and SRA products was not disclosed in CISA's\r\nwarning or SonicWall's notice, CrowdStrike security researcher Heather Smith told BleepingComputer yesterday that the\r\ntargeted vulnerability is tracked as CVE-2019-7481.\r\n\"This exploitation targets a long-known vulnerability that was patched in newer versions of firmware released in early\r\n2021,\" SonicWall said in an emailed statement.\r\nHowever, CrowdStrike's Heather Smith and Hanno Heinrichs said in a report published last month that \"CrowdStrike\r\nServices incident response teams identified eCrime actors leveraging an older SonicWall VPN vulnerability, CVE-2019-\r\n7481, that affects Secure Remote Access (SRA) 4600 devices.\"\r\nSonicWall credited the two security researchers with reporting the actively exploited security flaw in a security\r\nadvisory issued yesterday.\r\nAccording to a Coveware report, Babuk ransomware is also targeting SonicWall VPNs likely vulnerable to CVE-2020-5135\r\nexploits. This vulnerability was patched in October 2020 but it is still \"heavily abused by ransomware groups today\" per\r\nCoveware.\r\nRansomware vs. SonicWall devices\r\nA threat group tracked by Mandiant as UNC2447 has also exploited the CVE-2021-20016 zero-day bug in SonicWall SMA\r\n100 Series VPN appliances to deploy a new ransomware strain known as FiveHands (a DeathRansom variant just as\r\nHelloKitty).\r\nTheir attacks targeted multiple North American and European targets before SonicWall released patches in late February\r\n2021.\r\nThe same zero-day was also abused in January in attacks targeting SonicWall's internal systems and later indiscriminately\r\nexploited in the wild.\r\nMandiant threat analysts discovered three other zero-day vulnerabilities in SonicWall's on-premises and hosted Email\r\nSecurity (ES) products in March.\r\nThese three zero-days were also actively exploited by a group Mandiant tracks as UNC2682 to backdoor systems using\r\nBEHINDER web shells, allowing them to move laterally through victims' networks and access emails and files.\r\n\"The adversary leveraged these vulnerabilities, with intimate knowledge of the SonicWall application, to install a backdoor,\r\naccess files and emails, and move laterally into the victim organization's network,\" the Mandiant researchers said at the time.\r\nhttps://www.bleepingcomputer.com/news/security/hellokitty-ransomware-is-targeting-vulnerable-sonicwall-devices/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/hellokitty-ransomware-is-targeting-vulnerable-sonicwall-devices/\r\nhttps://www.bleepingcomputer.com/news/security/hellokitty-ransomware-is-targeting-vulnerable-sonicwall-devices/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/hellokitty-ransomware-is-targeting-vulnerable-sonicwall-devices/"
	],
	"report_names": [
		"hellokitty-ransomware-is-targeting-vulnerable-sonicwall-devices"
	],
	"threat_actors": [
		{
			"id": "065b7ea2-5920-4270-824e-94ea8a79d197",
			"created_at": "2023-12-08T02:00:05.747632Z",
			"updated_at": "2026-04-10T02:00:03.492858Z",
			"deleted_at": null,
			"main_name": "UNC2447",
			"aliases": [],
			"source_name": "MISPGALAXY:UNC2447",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "cf1c7efe-4464-4347-95d3-c86fb4d7db51",
			"created_at": "2022-10-25T16:07:24.35977Z",
			"updated_at": "2026-04-10T02:00:04.953882Z",
			"deleted_at": null,
			"main_name": "UNC2447",
			"aliases": [],
			"source_name": "ETDA:UNC2447",
			"tools": [
				"7-Zip",
				"AdFind",
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"DEATHRANSOM",
				"DeathRansom",
				"FIVEHANDS",
				"FOXGRABBER",
				"HELLOKITTY",
				"HelloKitty",
				"KittyCrypt",
				"Mimikatz",
				"PCHUNTER",
				"RCLONE",
				"ROUTERSCAN",
				"Ragnar Locker",
				"RagnarLocker",
				"Rclone",
				"S3BROWSER",
				"SombRAT",
				"Thieflock",
				"WARPRISM",
				"cobeacon",
				"deathransom",
				"wacatac"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434864,
	"ts_updated_at": 1775792177,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2306cc2f08befab0e3a1ccbf3cdaafb787d438ad.pdf",
		"text": "https://archive.orkl.eu/2306cc2f08befab0e3a1ccbf3cdaafb787d438ad.txt",
		"img": "https://archive.orkl.eu/2306cc2f08befab0e3a1ccbf3cdaafb787d438ad.jpg"
	}
}