{
	"id": "16726765-342c-4682-8f1a-4d93f6d6260d",
	"created_at": "2026-04-10T03:22:11.120362Z",
	"updated_at": "2026-04-10T03:22:16.666203Z",
	"deleted_at": null,
	"sha1_hash": "3b6899d6944a7b6d8c55cd7aba41ad1b214d1024",
	"title": "HelloKitty: When Cyberpunk met cy-purr-crime",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 145350,
	"plain_text": "HelloKitty: When Cyberpunk met cy-purr-crime\r\nBy Jovi Umawing\r\nPublished: 2021-03-17 · Archived: 2026-04-10 03:09:22 UTC\r\nOn February 9, after discovering a compromise, CD Projekt Red (CDPR) announced to its 1+ million followers on\r\nTwitter that it was the victim of a ransomware attack against its systems (and made it clear they would not yield to\r\nthe demands of the threat actors, nor negotiate).\r\nCyberpunk 2077, the latest game released by CD Projekt Red and once hailed as the “most anticipated game of\r\nthe decade”, was released in December 2020 with many calling it an “unplayable mess”.\r\nNo surprise then that some people suspected that enraged gamers were hitting back at the company for releasing\r\nthe game in that state. But infamous ransomware hunter Fabian Wosar (@fwosar), of Emsisoft begged to differ.\r\nAlthough what he said was an informed claim, we cannot say for sure what hit CDPR until a ransomware sample\r\nis retrieved and analyzed. Nevertheless, the name-check was enough to put the HelloKitty ransomware family in\r\nthe headlines.\r\nHelloKitty ransomware\r\nThe HelloKitty ransomware, also known as Kitty ransomware, was first seen in November 2020, a few months\r\nafter the first variants of Egregor were spotted in the wild.\r\nCEMIG (Companhia Energética de Minas Gerais), a Brazilian electric power company, revealed on Facebook in\r\nlate December 2020 that it was a victim of a cyberattack. Succeeding reports revealed that HelloKitty was the\r\nransomware behind it, and that this ransomware strain was used to steal a large amount of data about the company.\r\nThe attack didn’t cause any damage, however, but it caused the company to suspend its WhatsApp and SMS\r\nchannels, and its online app service.\r\nThis ransomware family was named after a mutex it used called “HelloKittyMutex.”\r\nSome researchers refer to HelloKitty as DeathRansom—a ransomware family that, based on its earlier variants,\r\nmerely renames target files and doesn’t encrypt them. We speculate, however, that HelloKitty was built from\r\nDeathRansom. As such, Malwarebytes detects this ransomware as Ransom.DeathRansom.\r\nThe threat actors behind HelloKitty ransomware aren’t as active as some other threat groups, so there is little\r\ninformation about it. Below is what we know so far.\r\nInfection vector\r\nAccording to SentinelLabs, current intelligence suggests that HelloKitty arrives via phishing emails or via\r\nsecondary infection from an initial malware attack.\r\nhttps://blog.malwarebytes.com/threat-spotlight/2021/03/hellokitty-when-cyberpunk-met-cy-purr-crime/\r\nPage 1 of 3\n\nSymptoms\r\nSystems affected by HelloKitty ransomware display the following symptoms:\r\n1. Terminated processes and Windows services. Once it reaches an affected system and executes, HelloKitty\r\nterminates processes and Windows services that may interfere with its operation. These processes are generally\r\nassociated with security software, backup software, accounting software, email servers, and database servers (to\r\nname a few). Overall, it can target and terminate over 1,400 processes and services.\r\nIt performs the termination process using taskkill.exe and net.exe, two legitimate Microsoft Windows programs.\r\nSentinelLabs also notes that if there are processes HelloKitty cannot terminate using these executables, it then taps\r\ninto Windows’s Restart Manager to perform the termination.\r\n2. Encrypted files with . KITTY or .\r\nCRYPTED\r\nfile extensions. On Windows systems, HelloKitty ransomware uses a combination of AES-128 + NTRU\r\nencryption. On Linux systems, it uses the combination AES-256 + ECDH. These encryption recipes are not\r\nknown to have any weaknesses, making decryption impossible without a key.\r\nEncrypted files will have the .kitty or\r\n.crypted\r\nfile extension appended to the file names. For example, an encrypted sample.mdb file will either have the\r\nsample.mdb.kitty\r\nor sample.mdb.crypted file names.\r\n3. Targeted ransom note. The HelloKitty ransom note is usually a plain text file bearing either the name\r\nread_me_lkdtt.txt or\r\nread_me_unlock.txt\r\nthat references its target and/or its environment. For a sample content of the note, below is a portion of the\r\nCEMIG ransom note as follows:\r\nHello CEMIG!\r\nAll your fileservers, HyperV infrastructure and backups have been encrypted!\r\nhttps://blog.malwarebytes.com/threat-spotlight/2021/03/hellokitty-when-cyberpunk-met-cy-purr-crime/\r\nPage 2 of 3\n\nTrying to decrypt or modify the files with programs other than our decryptor can lead to permanent loss\r\nof data!\r\nThe only way to recover your files is by cooperating with us.\r\nTo prove our seriousness, we can decrypt 1 non-critical file for free as proof. We have over 10 TB data\r\nof your private files, databases, personal data… etc, you have 24 hours to contact us, another way we\r\npublish this information in public channels, and this site will be unavailable.\r\nThe ransom note also includes a .onion URL that victims can open using the Tor browser. URLs are different\r\nfor each victim.\r\n4. Deleted shadow copies. Similar to other well-known ransomware families like Phobos and Sodinokibi,\r\nHelloKitty deletes shadow copies of encrypted files on affected systems to prevent victims from restoring them.\r\nIndicators of Compromise (IOCs)\r\nTor Onion URLs:\r\n6x7dp6h3w6q3ugjv4yv5gycj3femb24kysgry5b44hhgfwc5ml5qrdad.onion\r\nx6gjpqs4jjvgpfvhghdz2dk7be34emyzluimticj5s5fexf4wa65ngad.onion\r\nSHA256 hashes:\r\n78afe88dbfa9f7794037432db3975fa057eae3e4dc0f39bf19f2f04fa6e5c07c\r\nfa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb\r\nc7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e\r\n9a7daafc56300bd94ceef23eac56a0735b63ec6b9a7a409fb5a9b63efe1aa0b0\r\n38d9a71dc7b3c257e4bd0a536067ff91a500a49ece7036f9594b042dd0409339\r\nAbout the author\r\nKnows a bit about everything and a lot about several somethings. Writes about those somethings, usually in long-form.\r\nSource: https://blog.malwarebytes.com/threat-spotlight/2021/03/hellokitty-when-cyberpunk-met-cy-purr-crime/\r\nhttps://blog.malwarebytes.com/threat-spotlight/2021/03/hellokitty-when-cyberpunk-met-cy-purr-crime/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-spotlight/2021/03/hellokitty-when-cyberpunk-met-cy-purr-crime/"
	],
	"report_names": [
		"hellokitty-when-cyberpunk-met-cy-purr-crime"
	],
	"threat_actors": [],
	"ts_created_at": 1775791331,
	"ts_updated_at": 1775791336,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3b6899d6944a7b6d8c55cd7aba41ad1b214d1024.pdf",
		"text": "https://archive.orkl.eu/3b6899d6944a7b6d8c55cd7aba41ad1b214d1024.txt",
		"img": "https://archive.orkl.eu/3b6899d6944a7b6d8c55cd7aba41ad1b214d1024.jpg"
	}
}