The malware has learned new tricks while everyone thought it was dead.
Researchers from The Raven File have detected renewed activity from the HelloKitty ransomware, which now targets not only Windows but also Linux systems, including ESXi virtual environments. First discovered in 2020, HelloKitty originated as a fork of DeathRansom, but has since evolved significantly in both architecture and operational methods.
Modern HelloKitty samples use a built-in RSA-2048 public key, hashed via SHA256 to generate a unique victim ID. Each encrypted file uses a 32-byte value derived from the CPU timestamp. Encryption is layered: Salsa20 is used first, followed by AES. The final files are marked with extensions like .CRYPTED, .CRYPT, or .KITTY and include metadata containing the encrypted RSA file size, key, and a "magic" decryption value.
Some variants use alternative encryption schemes, such as NTRU, signaling a rapid adaptation of the malware to modern cryptographic methods. While earlier attacks were primarily focused on Windows, a Linux/ESXi version has been active since July 2021 — significantly broadening the malware’s scope.
The origin of recent samples has raised interest. Indicators suggest China as the source — based on internal file languages, IP addresses used for payload delivery, and references to Chinese services like QQ and SkyCN. However, past reports linked the group’s activity to Ukraine, creating confusion that may be due to misdirection or a multinational threat actor composition.
A comparison of infection techniques between 2020 and 2024 shows clear evolution. Early versions focused on basic actions — deleting shadow copies, killing processes, and injecting into the system — whereas newer samples are more selective and cautious. Attackers now actively probe their environment, inspect the registry, and assess system attributes while avoiding older, easily detectable methods.
HelloKitty has impacted not just companies, but critical infrastructure. In December 2020, it struck Brazil’s CEMIG power plant; in February 2021, it hit Poland’s CD Projekt Red. Later, hospitals in the UK and IT firms in France were also affected.
HelloKitty has been used by multiple groups, becoming a modular tool in the ransomware ecosystem. Actors like Vice Society, UNC2447, Lapsus$, and Yanluowang have deployed it, making it a notable part of the Ransomware-as-a-Service (RaaS) model.
Although no active HelloKitty leak sites have been found recently, a new variant downloaded from China — sharing code with RingQ Malware — may indicate a rebooted infrastructure. The absence of onion links suggests that the group either hasn’t finalized deployment or is intentionally staying under the radar.
With its updated encryption mechanisms, cross-platform capabilities, and unclear origins, HelloKitty’s return poses a renewed challenge for cybersecurity professionals. The group is learning from past mistakes and adapting to defensive technologies, solidifying its status as one of the most resilient ransomware strains in the wild.
