An investigation conducted by the U.S. Federal Bureau of Investigation (FBI) into a data breach involving an Oregon healthcare organization led to an unexpected revelation that the FBI believes that the notorious ransomware gang known as HelloKitty, Five Hands or Death Kitty, operates out of Ukraine.
“On October 21, the FBI notified OAG that it had seized an account belonging to HelloKitty, a Ukrainian hacking group, which contained OAG patient and employee files. The FBI believes HelloKitty exploited a vulnerability in our third-party firewall, enabling the hackers to gain entry to the network. According to the cyber forensics report obtained by OAG in late November, the cybercriminals, once inside, were able to data-mine the administrator’s credentials and access OAG’s encrypted data,” reads a statement published by Oregon Anesthesiology Group disclosing the data breach.
Typically, law enforcement agencies withhold information about possible location of ransomware gangs, and while HelloKitty has been in operation since January 2021, details about the group’s likely location were not previously disclosed.
The gang behind the Hello Kitty ransomware uses aggressive tactics such as double extortion to pressure victims into paying a ransom. In some cases, if the victim does not respond quickly or fails to pay the ransom, the threat actors will launch a Distributed Denial of Service (DDoS) attack on the victim company’s public facing website.
Earlier this year, the Hello Kitty ransomware was observed in attacks targeting the video game maker CD Project Red, South Africa’s state-owned ports and freight rail operator Transnet, and exploiting vulnerabilities in SonicWall appliances, such as CVE-2021-20016, CVE-2021-20021, CVE-2021- 20022, and CVE-2021-20023.