HelloKitty ransomware has resurfaced with newly discovered variants targeting Windows, Linux, and ESXi environments in a renewed wave of cyberattacks. Security researchers have noted a significant rise in activity, confirming that HelloKitty is once again a serious threat to the cybersecurity landscape.
First observed in October 2020 as an updated version of the DeathRansom malware, HelloKitty has since evolved its reach. The most recent versions reveal a more advanced and focused strategy by employing RSA-2048 public key encryption, with the key hashed using SHA-256 to provide a unique victim ID.
There have been at least eleven additional HelloKitty samples discovered since September 2024, showing a notable operational resurgence. The ransomware has evolved considerably, with improved encryption techniques and a broader focus on critical operating systems.
The early campaigns mostly targeted gaming companies, healthcare providers, and power plants. But by July 2021, the group had developed a Linux ESXi encryptor, showing a clear push to expand their attack surface.
HelloKitty’s Cross‑Platform Resurgence and Evolving Tactics
HelloKitty consistently returns with better methods, even after extended silences. Even when previous command-and-control servers disappear from the dark web, security experts discovered possible new variations in February 2025, suggesting the criminal group is still operational.
The updated HelloKitty ransomware retains its core file-encryption functionality and appends extensions such as “CRYPTED,” “CRYPT,” or “KITTY.” Unlike many ransomware operations that prioritize branding, HelloKitty personalises its ransom messages by addressing victims by name—resulting in a more targeted approach to extortion.
HelloKitty uses Visual C++ and UPK packaging to avoid reverse engineering. The encryption process utilises a 32-byte seed value derived from the CPU timestamp, employing Salsa20 for initial encryption, followed by AES.
After encryption, files get metadata for decryption, such as an RSA-encrypted file size, a magic number, and the AES key. Some variations include an NTRU public key, illustrating the ransomware’s flexibility.
Geographic research reveals a peculiar distribution pattern that challenges earlier hypotheses of attribution. Although U.S. authorities have pointed to Ukraine, many of the most recent samples have appeared on Chinese IP addresses, complete with internal files labelled in Mandarin and references to local services such as QQ and SkyCN.
A CHINANET server previously linked to cyber activities with connections to China was identified in a 2024 sample. However, none of the known victim lists include Chinese companies.
Although there is no current dark web activity directly associated with the group, a recent sample (MD5: a831d838a924ea135c3e0f315f73fcd3) uploaded from China raises further concerns.
While it lacks an onion link, the code bears notable similarities to known ransomware families, suggesting that the group may be shifting its tactics. With a 5% code similarity to RingQ malware, it is suspected that attackers are developing new infrastructure in preparation for a more aggressive campaign.
Security experts now face a serious challenge with HelloKitty’s resurgence bolstered by sophisticated encryption, cross-platform capabilities, and an increasingly ambiguous geographic origin.
Successful ransomware attacks are most often preceded by phishing emails. Ensure your colleagues maintain a security-first mindset and strengthen your human firewall by starting Phishing Tackle’s security awareness training today with our two-week free trial.
