hellokitty

HelloKitty is a ransomware family first observed in November 2020, named after a string found in its binary. It operates as a human-operated, big-game hunting ransomware, manually deployed after network intrusion and reconnaissance. HelloKitty uses a double-extortion model—encrypting files and threatening to leak stolen data on a Tor-based site. The malware encrypts files using AES-256 in CBC mode with RSA-2048 to protect keys, appending extensions such as .crypted or campaign-specific suffixes. Distribution typically occurs via compromised RDP credentials, phishing, or exploitation of known vulnerabilities. The group gained notoriety in February 2021 after attacking CD Projekt Red, the developer of The Witcher and Cyberpunk 2077, stealing source code for several games. Subsequent variants have targeted both Windows and Linux systems, including ESXi servers.