What was once only known as a cute fictional character produced by the Japanese company Sanrio, HelloKitty is now known in the incident response world as a new invasive type of ransomware. According to Malwarebytes, HelloKitty ransomware (also known as Kitty ransomware) was first seen in November 2020. Some refer to HelloKitty as DeathRansom — a ransomware family that merely renames target files and doesn’t always encrypt them, based on its earlier variants. While there is little information available, one Coalition policyholder was about to get too close for comfort with this new and aggressive threat group.
After more than 30 years in business, a medical practice management company started their day like any other before their IT team realized they couldn’t get into their system. IT logged in, and all files were encrypted with the dreaded .crypted file extension. Unfortunately, their backup data was also compromised. This was deeply concerning given the large amount of Protected Health Information (PHI) and billing information they store.
They contacted Coalition immediately, we assessed their environment and prepared to start communications with the threat actor. It was important to get in touch with the attacker because the victim’s phone had been ringing off the hook — at least seven times within the first 24 hours.
The influx of phone calls makes HelloKitty especially threatening and dangerous. They called the client and warned the client to reach out to them via email to discuss their options. They even left voicemails. They are relentless with their attempts to scare victims. Not only that, these attackers have the potential to call an organization’s clients, customers, and vendors. The last thing you want is your attacker contacting and intimidating people crucial to your business.
Tip: All policyholders with an issue, please call 24x7 toll-free at +1 833 866 1337 or email [email protected] The sooner, the better.
We asked the client to stop communicating with the threat actors and helped assess their backups. After moving to email communication, and days of negotiation, we reduced the ransom demand from $750,000 to $200,000. We got the encryption key, the attacker deleted their data, and we successfully restored all but one of their non-critical backups.
If this ever happens to your business — don’t answer the phone. Don’t pick up calls from unknown numbers. It simply starts the clock. After you’ve engaged, there is no turning back.
What stands out to us about HelloKitty ransomware are the non-stop phone calls. This is a scare tactic we are concerned we will see more and more often. It scares victims into making rash decisions when in reality, they should contact their cyber insurance provider and work to come up with a safe plan of action and recovery.
A good data backup can mean the difference between a full loss and a full recovery after a ransomware attack. To protect your business, you’ll need to develop a strategy tailored to your business, taking into account the type of data you create and need to run your business. At a minimum, this strategy should address three main elements: how often backups are performed, what data is included, and where they are stored.
Attackers are becoming more and more familiar with where and how backups are stored on a network. They are writing malware that automatically targets backup files to render them useless. You must keep a copy of your backups offline.
• Maintain both onsite and offsite backups for critical business data. Onsite backups are vulnerable to malware but allow quicker recovery times for incidents like a hard drive crash, while offsite backups are isolated from ransomware and incidents which physically destroy hardware in your primary location. We recommend using offline backups to store essential data completely separate from the primary network (see section below). Cloud backups with a username and password combination not associated with an organization’s domain are another alternative; even though they are “online” by virtue of being a cloud-based service, the separation from your main network and location provides additional security.
• You must test your backups by trying a full recovery. Unfortunately, it is extremely common for organizations to only test their backups when they need them, and failures are extremely high in those situations. Issues you can avoid by testing include corrupted backups, unrecoverable data, and incomplete backups.
• Verify the coverage of your backups. Designing a strategy today that covers all essential business data is great, but next year you may have different systems and processes which generate different data. It’s important to periodically verify whether your backup strategy is still aligned to your current business environment and make sure any new data sources are included.
• Veeam Cloud
With the digital world we live in, we know it is tough to keep critical data off the internet. Whether that is in email, file share, or in a cloud platform — we are noticing attack groups, such as the HelloKitty ransomware threat actors, who focus on data exfiltration to threaten the company in the event they don’t need decryption (due to backups).
We strongly urge all companies to keep their most sensitive data offline and inaccessible to a threat actor. Whether that data be stored in an encrypted volume, offline on an external drive, or in a third-party tool protected by multi-factor authentication (MFA), leaving it in plain sight on a network is no longer acceptable to mitigate risk from these types of attacks
Coalition Control is our integrated platform that lets you take a proactive approach to manage cyber risk, all for free. Our Automated Scanning & Monitoring finds organizational risk and shows you how to fix it before the unthinkable happens. Sign up with just your email address and start controlling your risk right away. You can’t afford not to.
For more posts in the Coalition Claims Chronicles series, see how we saved a manufacturer $1.7M from a ransomware event leading to property damage and managed to recover $1.3M for a customer after a phishing attack leading to funds transfer fraud.