HelloKitty ransomware rebranded and back in business, looking for employees


Threat actors previously known as HelloKitty ransomware have announced that they’re rebranding into “HelloGookie.” Instead of balloons, they released some decryption keys from older attacks and leaked more of the stolen code from CD Project Red and Cisco network information. Now, they are looking for an employee who will make voice calls to victims directly.

HelloKitty was infamous for hacking into the Polish game company CD Project Red in 2021 and exfiltrating the source code for the company’s flagship games Cyberpunk 2077, Witcher 3, or Gwent.

As first observed by security researcher 3xp0rt, a hacker claiming to be the creator of HelloKitty ransomware is announcing the revival of the gang under a new name, HelloGookie. The threat actor used aliases Kapuchin0, Gookee, and Byte for the announcements on various forums.

The threat actor marked a new debut with a massive data dump on a newly created website on the dark web. HelloGookie posted a 750GB archive containing a version of Cyberpunk 2077 source code and various builds of Witcher 3.

VX-underground researchers reported that enthusiasts managed to compile the working game version of Witcher 3 using the data.

However, the four 7z archives are still locked, and HelloGookie is demanding $10,000 to unlock and publish each archive. The last in-line archive contains the source code for Cyberpunk 2077.

Other leaks contain “private keys,” which could probably be used to decrypt and recover files from some previous ransomware attacks.

The third leak contains data from Cisco. The company in 2022 admitted that it had suffered a cyberattack after ransomware group Yanluowang published the list of stolen data on its website.

Kapuchin0 also boasts they released updates for Linux/Windows, “a bunch of stuff,” and promises “it will only be more interesting” in the future.

Not only did the threat actor send regards to peers from LockBit, teasing their “shitty software,” they also posted a job for “caller + talker.”

“I'm looking for someone who can use voice calls to get through to this horned devil who doesn't see fit to pay for other people's labor,” Kapuchin0 said.

The requirements for working with a criminal included “Bringing the right person/people to the point of paranoid attacks.”

“HelloGookie victims should be prepared for such calls, as it's quite possible that they have already hired someone. Given that such services are already provided to other ransomware gangs, it's not that difficult to find such an employee,” security researcher 3xp0rt posted on X.

However, the leak site does not include any new victims.

The FBI first observed HelloKitty/FiveHands ransomware in January 2021. In an alert that year, authorities warned that HelloKitty/FiveHands actors aggressively apply pressure to victims, typically using the double extortion technique, and in some cases, if the victim does not respond quickly or does not pay the ransom, the threat actors would launch a Distributed Denial of Service (DDoS) attack on the victim company’s public-facing website.

Cybernews researchers have not discovered any new HelloKitty malicious activity since July last year.