{
	"id": "11052b07-a2c7-4812-8821-33b7d3ca6315",
	"created_at": "2026-04-06T00:12:00.052586Z",
	"updated_at": "2026-04-10T03:20:51.423988Z",
	"deleted_at": null,
	"sha1_hash": "fc39e04a04edfdd71f27def22d3a5972e52e7ab9",
	"title": "HelloKitty Ransomware Lacks Stealth, But Still Strikes Home - SentinelLabs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1224224,
	"plain_text": "HelloKitty Ransomware Lacks Stealth, But Still Strikes Home -\r\nSentinelLabs\r\nBy Jim Walter\r\nPublished: 2021-03-08 · Archived: 2026-04-05 19:27:20 UTC\r\nGame studio CD Projekt Red recently disclosed that it became a victim of a targeted, highly-impactful\r\nransomware. In the days following the disclosure, it was revealed that the ransomware family most likely behind\r\nthe attack was “HelloKitty”.\r\nHelloKitty is a ransomware family that emerged in late 2020. While it lacks the sophistication of some of the more\r\nwell-known families such as Ryuk, REvil, and Conti, it has nevertheless struck some notable targets, including\r\nCEMIG0. In this post, we analyse a recent HelloKitty sample and outline the basic behaviors and traits associated\r\nwith this family of ransomware.\r\nExecution and Behavior\r\nThe “HelloKitty” name is based on internal mutex names, which are apparent upon execution.\r\nhttps://labs.sentinelone.com/hellokitty-ransomware-lacks-stealth-but-still-strikes-home/\r\nPage 1 of 7\n\nWhile still somewhat unclear, current intelligence indicates that the primary delivery method of HelloKitty\r\nbinaries is via phish email or via secondary infection in conjunction with other malware.\r\nOnce launched, HelloKitty will attempt to disable and terminate a number of processes and services so as to\r\nreduce interference with the encryption process. This includes processes and services associated with IIS,\r\nMSSQL, Quickbooks, Sharepoint, and more. These actions are carried out via taskkill.exe and net.exe .\r\nIn the analyzed sample, this is all done in a very non-stealthy manner. All spawned CMD windows are in the\r\nforeground and fully visible. This ‘lack of discreteness’ is atypical for modern ransomware, or any successful\r\nmalware, for that matter.\r\nA full list of processes from the analyzed sample are listed below:\r\ndsa*\r\nNtrtsca\r\nds_moni\r\nNotifie\r\nTmListe\r\niVPAgen\r\nCNTAoSM\r\nIBM*\r\nbes10*\r\nblack*\r\nrobo*\r\ncopy*\r\nstore.e\r\nsql*\r\nhttps://labs.sentinelone.com/hellokitty-ransomware-lacks-stealth-but-still-strikes-home/\r\nPage 2 of 7\n\nvee*\r\nwrsa*\r\nwrsa.ex\r\npostg*\r\nsage*\r\nMSSQLServerADHelper100\r\nMSSQL$ISARS\r\nMSSQL$MSFW\r\nSQLAgent$ISARS\r\nSQLAgent$MSFW\r\nSQLBrowser\r\nReportServer$ISARS\r\nSQLWriter\r\nWinDefend\r\nmr2kserv\r\nMSExchangeADTopology\r\nMSExchangeFBA\r\nMSExchangeIS\r\nMSExchangeSA\r\nShadowProtectSvc\r\nSPAdminV4\r\nSPTimerV4\r\nSPTraceV4\r\nSPUserCodeV4\r\nSPWriterV4\r\nSPSearch4\r\nIISADMIN\r\nfirebirdguardiandefaultinstance\r\nibmiasrw\r\nQBCFMonitorService\r\nQBVSS\r\nQBPOSDBServiceV12\r\n\"IBM Domino Server(CProgramFilesIBMDominodata)\"\r\n\"IBM Domino Diagnostics(CProgramFilesIBMDomino)\"\r\n\"Simply Accounting Database Connection Manager\"\r\nQuickBooksDB1\r\nQuickBooksDB2\r\nQuickBooksDB3\r\nQuickBooksDB4\r\nQuickBooksDB5\r\nQuickBooksDB6\r\nQuickBooksDB7\r\nQuickBooksDB8\r\nQuickBooksDB9\r\nQuickBooksDB10\r\nQuickBooksDB11\r\nQuickBooksDB12\r\nhttps://labs.sentinelone.com/hellokitty-ransomware-lacks-stealth-but-still-strikes-home/\r\nPage 3 of 7\n\nQuickBooksDB13\r\nQuickBooksDB14\r\nQuickBooksDB15\r\nQuickBooksDB16\r\nQuickBooksDB17\r\nQuickBooksDB18\r\nQuickBooksDB19\r\nQuickBooksDB20\r\nQuickBooksDB21\r\nQuickBooksDB22\r\nQuickBooksDB23\r\nQuickBooksDB24\r\nQuickBooksDB25\r\nAdditional processes and services that are terminated are identified via PID. For example:\r\ntaskkill.exe /f /PID \"8512\"\r\ntaskkill.exe /f /PID \"8656\"\r\nIf HelloKitty is unable to stop any specific processes or services, it will leverage the Windows Restart Manager\r\nAPI to further assist in termination.\r\nHelloKitty will also utilize WMI to gather system details and help identify running processes and any potentially\r\nproblematic processes. This is done both by name and by PID. A number of examples are shown below:\r\nstart iwbemservices::execquery - rootcimv2 : select __path, processid, csname, caption, sessionid, th\r\nstart iwbemservices::execquery - rootcimv2 : select __path, processid, csname, caption, sessionid, th\r\nhttps://labs.sentinelone.com/hellokitty-ransomware-lacks-stealth-but-still-strikes-home/\r\nPage 4 of 7\n\nstart iwbemservices::execquery - rootcimv2 : select __path, processid, csname, caption, sessionid, th\r\nstart iwbemservices::execquery - rootcimv2 : select __path, processid, csname, caption, sessionid, th\r\nstart iwbemservices::execquery - rootcimv2 : select __path, processid, csname, caption, sessionid, th\r\nstart iwbemservices::execquery - rootcimv2 : select __path, processid, csname, caption, sessionid, th\r\nstart iwbemservices::execquery - rootcimv2 : select __path, processid, csname, caption, sessionid, th\r\nstart iwbemservices::execquery - rootcimv2 : select __path, processid, csname, caption, sessionid, th\r\nstart iwbemservices::execquery - rootcimv2 : select __path, processid, csname, caption, sessionid, th\r\nstart iwbemservices::exe\r\nEncryption and Ransom Note\r\nEncryption is initiated and completed very quickly once applicable services and processes have been terminated.\r\nSpecific encryption recipes and routines can vary across variants of HelloKitty. Generally speaking, they tend to\r\nuse a combination of AES-256 \u0026 RSA-2048 or even NTRU+AES-128.\r\nOnce encrypted, affected files receive the .crypted extension.\r\nRansom notes are typically customized to directly reference the victim and victim’s environment. Victims are\r\ninstructed to visit a TOR-based payment and support portal. The following example has been sanitized:\r\nhttps://labs.sentinelone.com/hellokitty-ransomware-lacks-stealth-but-still-strikes-home/\r\nPage 5 of 7\n\nIt is also important to note that as of this writing, the onion address associated with HelloKitty ransom notes is not\r\nactive.\r\n6x7dp6h3w6q3ugjv4yv5gycj3femb24kysgry5b44hhgfwc5ml5qrdad.onion\r\nConclusion\r\nHelloKitty may be easier to spot than other modern ransomware families, but upon execution it is no less\r\ndangerous. There are currently no known ‘weaknesses’ in the encryption routines, and there are no thirdy-party\r\ndecrypters available for the HelloKitty ransomware. Therefore, the only true defense is prevention. While this\r\nfamily does not appear to be actively leaking victim data at the moment, that could change at any point, in\r\naddition to them choosing to adopt some of the more recent extortion methods that go along with ransomware\r\n(DDoS).\r\nActors behind the more recent campaign(s) are reportedly attempting to auction the CD Projekt data off in various\r\n‘underground’ forums. At present this sale of this data does appear to be legitimate. Time will tell if additional\r\nvictim data is dealt with in the same way.\r\nTo protect yourself against HelloKitty, make sure you are armed with a modern Endpoint Security platform, which\r\nis configured correctly and up to date. The SentinelOne Singularity Platform is fully capable of preventing and\r\ndetecting all malicious behaviors associated with the HelloKitty ransomware family.\r\nIOCs\r\nSHA1\r\nfadd8d7c13a18c251ded1f645ffea18a37f1c2de\r\nhttps://labs.sentinelone.com/hellokitty-ransomware-lacks-stealth-but-still-strikes-home/\r\nPage 6 of 7\n\nSHA256\r\n501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe\r\nMITRE ATT\u0026CK\r\nData from Local System – T1005\r\nModify Registry – T1112\r\nQuery Registry – T1012\r\nSystem Information Discovery – T1082\r\nData Encrypted for Impact – T1486\r\nFile Deletion – T1070.004\r\nCommand and Scripting Interpreter: Windows Command Shell – T1059.003\r\nWindows Management Instrumentation – T1047\r\nSource: https://labs.sentinelone.com/hellokitty-ransomware-lacks-stealth-but-still-strikes-home/\r\nhttps://labs.sentinelone.com/hellokitty-ransomware-lacks-stealth-but-still-strikes-home/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://labs.sentinelone.com/hellokitty-ransomware-lacks-stealth-but-still-strikes-home/"
	],
	"report_names": [
		"hellokitty-ransomware-lacks-stealth-but-still-strikes-home"
	],
	"threat_actors": [],
	"ts_created_at": 1775434320,
	"ts_updated_at": 1775791251,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fc39e04a04edfdd71f27def22d3a5972e52e7ab9.pdf",
		"text": "https://archive.orkl.eu/fc39e04a04edfdd71f27def22d3a5972e52e7ab9.txt",
		"img": "https://archive.orkl.eu/fc39e04a04edfdd71f27def22d3a5972e52e7ab9.jpg"
	}
}