FBI’s investigation accidentally revealed the HelloKitty ransomware gang operates out of Ukraine

In the never-ending fight against cybercrime, it’s rare for law enforcement to be the ones to strike it lucky. It’s a defining feature of cybercrime that it’s relatively easy to get away and successfully fade into obscurity after a successful attack.

However, while researching a recent ransomware attack on a healthcare provider, the FBI stumbled on information it believes proves that the notorious HelloKitty ransomware gang, Five Hands, is located in Ukraine.

Eastern Europe and countries like Russia, Ukraine, and Romania have been hotbeds for criminal cyber activity for many years. This dynamic is parly fueled by the proliferation of nation-state threat actors in this region as well as the relative lack of concerted efforts to fight back as you get with the FBI and CISA in the U.S.

Developing an effective response capability to ransomware requires taking specific steps for prevention, preparation, detection, verification, containment, eradication, and recovery. With LIFARS Ransomware Response Package, you will have the tools, processes, and team at your disposal to stand ready for even the most devious ransomware attack.

In fact, the cyber threat element is so great in Eastern Europe that many hackers themselves include do-not-install scripts to avoid attacking entities in former Soviet-bloc countries. This is to avoid reprisals and unwanted scrutiny.

That being said, the FBI has successfully collaborated with their law enforcement counterparts in various countries, including Ukraine and Romania, over the past year. This has led to numerous arrests involving ransomware gang collaborators or affiliates, including those involved with REvil, CLOP, and Ryuk.

In fact, REvil’s capabilities were all but crushed by the FBI in early December.

The victim of the ransomware attack, OAG, made the following statement regarding the matter:

“Oregon Anesthesiology Group, P.C. (OAG) experienced a cyberattack on July 11, after which we were briefly locked out of our servers. On October 21, the FBI notified OAG that it had seized an account belonging to HelloKitty, a Ukrainian hacking group, which contained OAG patient and employee files. The FBI believes HelloKitty exploited a vulnerability in our third-party firewall, enabling the hackers to gain entry to the network.”

Although only identified as an active ransomware gang in late 2020, HelloKitty has quickly gained notoriety for several high-profile ransomware attacks. The FBI first observed it in January 2021. The gang carried out their most famous attack on the massively popular game developer, CD Projekt Red in February of 2021, allegedly stealing valuable game I.P. files.

HelloKitty has become known for its malleability and rapid evolution. In July, the gang added a Linux ransomware variant to their arsenal, targeting VMware’s ESXi virtual machines. They are known to exploit common vulnerabilities. In November of this year, the FBI warned that the gang has also started utilizing DDoS attacks to their extortion arsenal.

This information has not been directly acknowledged by the FBI or any other law enforcement agencies. However, should this intelligence be correct, it could help the FBI carry out another successful bust and, hopefully, take down another dangerous threat actor from the ransomware landscape.

 

References

Worst hackers avoid attacking Eastern European countries: reports
HelloKitty