The FBI believes the HelloKitty ransomware gang operates out of Ukraine

Law enforcement agencies typically keep information on threat actors private as much as possible in order to gather evidence, watch, and then orchestrate arrests before suspects can destroy evidence or seek shelter in countries without extradition treaties.

However, in a recent data breach disclosure, an Oregon healthcare organization appears to have accidentally revealed that the FBI believes that the HelloKitty (FiveHands) ransomware gang operates out of Ukraine.

"On October 21, the FBI notified OAG that it had seized an account belonging to HelloKitty, a Ukrainian hacking group, which contained OAG patient and employee files," the Oregon Anesthesiology Group said in a breach disclosure on December 6.

"The FBI believes HelloKitty exploited a vulnerability in our third-party firewall, enabling the hackers to gain entry to the network," it added.

While the HelloKitty ransomware, also known as FiveHands, has been active since January 2021, details about the gang's possible location had not been previously shared or disclosed.

No mentions about their possible location were included in a CISA alert, an FBI IC3 alert, nor in reports from multiple security firms such as NCC Group, Cado Security, Malwarebytes, Palo Alto Networks, SentinelOne, and Mandiant.

With Ukrainian police successfully detaining members of the REvil, Clop, and LockerGoga gangs, along with others, over the past six months, it is now a real possibility that this slip-up from OAG might have tipped off HelloKitty's Ukrainian operators to the need to move to a new jurisdiction.

Currently, the HelloKitty gang is still active and engaged in attacks.

In most attacks, the gang has typically targeted unpatched SonicWall devices as entry points into corporate networks. The gang's most high-profile victim was Polish game studio CD Projekt RED, in February this year.