Menu
Threat actors target enterprises, stealing sensitive data, encrypting network files, and demanding ransoms.
Threat actors target critical infrastructure, impacting businesses that provide services to consumers and other organizations.
.crypted
.KITTY
When the HelloKitty ransomware is launched, it attempts to disable and terminate numerous processes and services associated with IIS, MSSQL, Quickbooks, and Sharepoint to reduce interference with the encryption processes which are carried out using taskkill.exe and net.exe. It will leverage the Windows Restart Manager API for further termination assistance if HelloKitty fails to stop any specific processes or services. HelloKitty will use the Windows Management Instrumentation (WMI) to collect system details and identify running processes and any potentially problematic processes. Once the applicable services processes have been terminated, HelloKitty initiates and completes the encryption process very quickly.
HelloKitty utilizes the Cobalt Strike penetration tool to maintain persistence and heavily utilize VPN to map the network and escalate privileges before they exfiltrate and encrypt the files. With the investigation and research conducted by SpearTip, we identified the usage of Cobalt Strike for persistence in several ransomware attacks.
SpearTip’s ShadowSpear platform defends your environment with unparalleled resources preventing cybersecurity threats and attacks from affecting your business. ShadowSpear integrates with cloud, network and endpoint devices providing security. ShadowSpear prevents ransomware from exploiting memory, stopping the threat before the full attack cycle. The ShadowSpear Platform is backed by the engineers in our 24/7 Security Operations Centers, ready to assist partners with security issues immediately.
24/7 Breach Response: US/CAN: 833.997.7327
Main Office: 800.236.6550
1714 Deer Tracks Trail, Suite 150
St. Louis, MO 63131
©2023 SpearTip, LLC. All rights reserved.