{
	"id": "eed3452f-0c72-452e-a8d3-96b427b8ab78",
	"created_at": "2026-04-06T00:11:35.13444Z",
	"updated_at": "2026-04-10T13:11:32.405563Z",
	"deleted_at": null,
	"sha1_hash": "453b653d727d287b7e5091245229e74958208754",
	"title": "HelloKitty ransomware behind CD Projekt Red cyberattack, data theft",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3362438,
	"plain_text": "HelloKitty ransomware behind CD Projekt Red cyberattack, data theft\r\nBy Lawrence Abrams\r\nPublished: 2021-02-09 · Archived: 2026-04-05 13:04:39 UTC\r\nThe ransomware attack against CD Projekt Red was conducted by a ransomware group that goes by the name\r\n'HelloKitty,' and yes, that's the name the threat actors utilize.\r\nToday, CD Project disclosed that they were the target of a ransomware attack that encrypted devices on their network and\r\nled to the theft of unencrypted files.\r\n\"Yesterday we discovered that we have become a victim of a targeted cyber attack, due to which some of our internal\r\nsystems have been compromised.\r\nhttps://www.bleepingcomputer.com/news/security/HELLOKITTY-ransomware-behind-cd-projekt-red-cyberattack-data-theft/\r\nPage 1 of 7\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/HELLOKITTY-ransomware-behind-cd-projekt-red-cyberattack-data-theft/\r\nPage 2 of 7\n\nVisit Advertiser websiteGO TO PAGE\r\n\"An unidentified actor gained unauthorized access to our internal network, collected certain data belong to CD PROJEKT\r\ncapital group, and left a ransom note the content of which we release to the public. Although some devices in our network\r\nhave been encrypted, our backups remain intact. We have already secured our IT infrastructure and begun restoring the\r\ndata,\" CD Projekt disclosed today.\r\nAs part of the announcement, CD Projekt also released a screenshot of the ransom note that was left behind by the attackers.\r\nRansom note from CD Projekt Red ransomware attack\r\nAccording to Emisoft's Fabian Wosar, the ransomware responsible for this cyberattack is called 'HelloKitty.'\r\nThis ransomware operation has been active since November 2020 and has targeted other large companies, such as the\r\nBrazilian power company CEMIG last year.\r\nIf you have first-hand information about this or other unreported cyberattacks, you can confidentially contact us on Sign\r\nWhat we know about the HelloKitty group\r\nAs the HelloKitty malware is not particularly active, there is not much information about the ransomware. However,\r\nBleepingComputer was able to gain access to a sample after a victim posted it in our forums in November 2020.\r\nhttps://www.bleepingcomputer.com/news/security/HELLOKITTY-ransomware-behind-cd-projekt-red-cyberattack-data-theft/\r\nPage 3 of 7\n\nThe HelloKitty ransomware is named after a mutex named 'HelloKittyMutex' used when the malware executable is\r\nlaunched.\r\nHelloKittyMutex mutex shown in Process Explorer\r\nOnce launched, HelloKitty will repeatedly run taskkill.exe to terminate processes associated with security software, email\r\nservers, database servers, backup software, and accounting software, such as QuickBooks.\r\nAn example of the taskkill.exe command is below:\r\n\"C:\\Windows\\System32\\taskkill.exe\" /f /im postg*\r\nThe ransomware will also attempt to shut down related Windows services with the net stop command, like the following:\r\n\"C:\\Windows\\System32\\net.exe\" stop MSSQLServerADHelper100\r\nIn total, HelloKitty targets over 1,400 processes and Windows services.\r\nAfter it has shut down the various targeted processes and services, it will begin to encrypt files on the computer. When\r\nencrypting files, it will append the .crypted extension to an encrypted file's name, as shown below.\r\nhttps://www.bleepingcomputer.com/news/security/HELLOKITTY-ransomware-behind-cd-projekt-red-cyberattack-data-theft/\r\nPage 4 of 7\n\nHelloKitty encrypted files\r\nIf the ransomware encounters a locked file when encrypting, it will use the Windows Restart Manager API to automatically\r\nterminate processes or Windows services that are keeping the file open.\r\nAs each HelloKitty executable is customized with a custom ransom note, the ransom note name may change depending on\r\nthe victim. For the HelloKitty victims that BleepingComputer has seen, the ransom name is typically named\r\n'read_me_unlock.txt,' which was also the same name used in the CD Projekt cyberattack.\r\nThese ransom notes are customized on a per-victim basis to include the amount of data that was stolen, what data was\r\ntargeted, and in many cases, the name of the company. This custom text indicates that the attackers lurk in the compromised\r\nnetwork for some time as they steal data, and when finished, deploy the ransomware. \r\nEnclosed in the ransom note is a Tor dark web URL that victims can visit to  negotiate with the ransomware actors.  This Tor\r\nURL is different for each victim and contains a simple chat interface to talk to the threat actors.\r\nhttps://www.bleepingcomputer.com/news/security/HELLOKITTY-ransomware-behind-cd-projekt-red-cyberattack-data-theft/\r\nPage 5 of 7\n\nTor chat site\r\nIt is unknown how great the ransom demands are for this ransomware gang and whether victims have paid in the past.\r\nAt this time, no known weakness could allow a victim to decrypt their files for free.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nhttps://www.bleepingcomputer.com/news/security/HELLOKITTY-ransomware-behind-cd-projekt-red-cyberattack-data-theft/\r\nPage 6 of 7\n\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/HELLOKITTY-ransomware-behind-cd-projekt-red-cyberattack-data-theft/\r\nhttps://www.bleepingcomputer.com/news/security/HELLOKITTY-ransomware-behind-cd-projekt-red-cyberattack-data-theft/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/HELLOKITTY-ransomware-behind-cd-projekt-red-cyberattack-data-theft/"
	],
	"report_names": [
		"HELLOKITTY-ransomware-behind-cd-projekt-red-cyberattack-data-theft"
	],
	"threat_actors": [
		{
			"id": "dcba8e2b-93e0-4d6e-a15f-5c44faebc3b1",
			"created_at": "2022-10-25T16:07:23.816991Z",
			"updated_at": "2026-04-10T02:00:04.758143Z",
			"deleted_at": null,
			"main_name": "Lurk",
			"aliases": [],
			"source_name": "ETDA:Lurk",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434295,
	"ts_updated_at": 1775826692,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/453b653d727d287b7e5091245229e74958208754.pdf",
		"text": "https://archive.orkl.eu/453b653d727d287b7e5091245229e74958208754.txt",
		"img": "https://archive.orkl.eu/453b653d727d287b7e5091245229e74958208754.jpg"
	}
}