FBI's investigation accidentally revealed the HelloKitty ransomware gang operates out of Ukraine

FBI’s investigation accidentally revealed the HelloKitty ransomware gang operates out of Ukraine

While investigating a data breach suffered by a healthcare organization, FBI accidentally revealed that it believes that the HelloKitty ransomware gang operates out of Ukraine.

The investigation conducted by FBI on a recent data breach suffered by an Oregon healthcare organization lead to the accidental revelation that the FBI believes that the HelloKitty ransomware gang (Five Hands) operates out of Ukraine.

“Oregon Anesthesiology Group, P.C. (OAG) experienced a cyberattack on July 11, after which we were briefly locked out of our servers.” reads the notice of data breach published by the Oregon Anesthesiology Group. “On October 21, the FBI notified OAG that it had seized an account belonging to HelloKitty, a Ukrainian hacking group, which contained OAG patient and employee files. The FBI believes HelloKitty exploited a vulnerability in our third-party firewall, enabling the hackers to gain entry to the network.”

The HelloKitty gang has been active since January 2021 and it is still active. In November, the US FBI has published a flash alert warning private organizations of the evolution of the HelloKitty ransomware (aka FiveHands). According to the alert, the ransomware gang is launching distributed denial-of-service (DDoS) attacks as part of its extortion activities.

The ransomware gang targets their victims’ websites with DDoS attacks if they refuse to pay the ransom. The HelloKitty ransomware group, like other ransomware gangs, implements a double extortion model, stealing sensitive documents from victims before encrypting them. Then the threat actors threaten to leak the stolen data to force the victim into paying the ransom.

The HelloKitty/FiveHands gang is known to demand varying ransom payments in Bitcoin (BTC) that are commensurate with the economic capabilities of the victims.

The group’s operators use several techniques to breach the targets’ networks, such as exploiting SonicWall flaws (e.g., CVE-2021-20016CVE-2021-20021CVE-2021-20022CVE-2021-2002) or using compromised credentials.

In May, US CISA also published an analysis report (AR21-126A) on the FiveHands ransomware, anyway US authorities never disclosed the possible location of the gang.

The accidental revelation can now suggest the gang temporarily suspend its operations moving its activities to another country where local police will be more indulgent.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini AuthorPierluigi Paganini
International Editor-in-Chief
Cyber Defense Magazine

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2021

We are in our 9th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.

APPLY NOW