The FBI is warning private industry partners regarding the HelloKitty ransomware group (aka FiveHands/DeathRansom). The group is now using Distributed Denial-of-Service (DDoS) attacks as an extortion tactic.

What's new?

The FBI warned that the HelloKitty ransomware group, which is known for encrypting victims’ data and asking for ransom, is now taking down victims' websites with DDoS attacks if they do not agree to pay the ransom.
  • The ransomware group demands a varying amount of ransom payments for each victim, based on their ability to pay.
  • If no ransom is paid, the victim data is posted to the Babuk site (payload[.]bin) or sold to a third-party data broker.
  • The operators employ multiple ways to breach the targets' networks. These ways include compromised credentials and patched security flaws in SonicWall products (e.g., CVE-2021-20016, CVE-2021-20022, CVE-2021-20021, and CVE-2021-2002).

Additional details

  • The FBI shared a collection of Indicators of Compromise (IOCs) in its alert to stay protected from this threat.
  • HelloKitty increased its activity in July and August, just after it started using the Linux variant in attacks to target VMware's ESXi virtual machine platform. 
  • In February, the group had breached and encrypted the systems of CD Projekt Red.


The alert for HelloKitty ransomware is a serious notice and organizations should apply recommended mitigations at the earliest. These mitigations include backing up critical data offline and updating used software and OS regularly. Additionally, it is suggested to install and always update antimalware defenses.

Cyware Publisher