The FBI believes that the HelloKitty cryptor is controlled by operators from Ukraine

A medical organization from Oregon, which recently reported a breach and data leak, accidentally made it clear that, according to the FBI, HelloKitty (FiveHands) malware is controlled by operators from the territory of Ukraine.

As a rule, law enforcement agencies do not disclose the collected information about hacker groups while the process of gathering evidence, surveillance and arrests are organized. Otherwise, suspects may destroy evidence or take refuge in countries with which the United States does not have extradition treaties. But this time the “leak” was not the fault of the law enforcement officers themselves.

The recently hacked Oregon Anaesthesiology Group reported this in an official press release.

On October 21, the FBI notified the OAG of the seizure of an account belonging to the Ukrainian hacker group HelloKitty, which contained files of patients and OAG employees. The FBI believes HelloKitty exploited a vulnerability in a third-party firewall that allowed hackers to gain access to our network.representatives of the Oregon Anesthesiology Group notify.

Although the ransomware HelloKitty, also known as FiveHands, has been active since January 2021, details of the possible location of its operators have not been previously disclosed. This was not mentioned in CISA and FBI IC3 warnings, nor in numerous reports from information security companies, including NCC Group, Cado Security, Malwarebytes, Palo Alto Networks, SentinelOne, and Mandiant.

The FBI warned of the group in October, noting that the group has become known for aggressively pressuring its victims with a double extortion technique.

In some cases, if the victim does not respond quickly or does not pay the ransom, the threat actors will launch a Distributed Denial of Service (DDoS) attack on the victim’s public facing website.the FBI said.

Let me remind you that this group is known mainly due to the CD Projekt Red hack that occurred at the beginning of this year.

The amount of people that are thinking this was done by a disgruntled gamer is laughable. Judging by the ransom note that was shared, this was done by a ransomware group we track as “HelloKitty”. This has nothing to do with disgruntled gamers and is just your average ransomware.Fabian Wosar from Emisoft on his Twitter account told.s

Currently, hackers are still active and continue to engage in ransomware attacks.

Let me remind you that we also talked about France are looking for LockerGoga ransomware developers in Ukraine.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *