Under Attack? Breach Response Hotline: Call

Day 7: HelloKitty Ransomware

Common Attack Vectors

  • Virtual Private Network (VPN)
  • Virtual Machine Platform (VMP)
  • Phishing Emails
  • Windows systems

Vulnerabilities Exploited

  • SonicWall – (CVE-2021-20016, CVE-2021-20021, CVE-2021- 20022, CVE-2021-20023)
  • Secure Mobile Access (SMA)
  • Secure Remote Access (SRA)

Industries Targeted Frequently


Threat actors target enterprises, stealing sensitive data, encrypting network files, and demanding ransoms.

Critical infrastructure

Threat actors target critical infrastructure, impacting businesses that provide services to consumers and other organizations.

Common File Extensions



Known Aliases

  • Five Hands
  • DeathRansom

How HelloKitty Ransomware is Distributed

When the HelloKitty ransomware is launched, it attempts to disable and terminate numerous processes and services associated with IIS, MSSQL, Quickbooks, and Sharepoint to reduce interference with the encryption processes which are carried out using taskkill.exe and net.exe. It will leverage the Windows Restart Manager API for further termination assistance if HelloKitty fails to stop any specific processes or services. HelloKitty will use the Windows Management Instrumentation (WMI) to collect system details and identify running processes and any potentially problematic processes. Once the applicable services processes have been terminated, HelloKitty initiates and completes the encryption process very quickly. 

HelloKitty utilizes the Cobalt Strike penetration tool to maintain persistence and heavily utilize VPN to map the network and escalate privileges before they exfiltrate and encrypt the files. With the investigation and research conducted by SpearTip, we identified the usage of Cobalt Strike for persistence in several ransomware attacks.


SpearTip’s ShadowSpear platform defends your environment with unparalleled resources preventing cybersecurity threats and attacks from affecting your business. ShadowSpear integrates with cloud, network and endpoint devices providing security. ShadowSpear prevents ransomware from exploiting memory, stopping the threat before the full attack cycle. The ShadowSpear Platform is backed by the engineers in our 24/7 Security Operations Centers, ready to assist partners with security issues immediately.