VERY IMPORTANT

The HelloKitty ransomware group, active since late 2020, has resurfaced with new variants in 2024 and potentially 2025. Originally forking from DeathRansom, HelloKitty targets Windows and Linux environments, appending .CRYPTED, .CRYPT, or .KITTY extensions to encrypted files. The group has used multiple TOR domains for negotiations and has been linked to high-profile attacks, including CD Projekt Red. Analysis reveals potential connections to China, despite earlier attributions to Ukraine. The ransomware employs sophisticated encryption techniques, including RSA-2048 and AES. Recent samples show evolving tactics, with increased focus on system discovery and process termination. HelloKitty has also been utilized by other threat actors, including Vice Society and Lapsus$. The group's continued activity and adaptations suggest ongoing relevance in the ransomware landscape.