The FBI believes the HelloKitty ransomware gang operates out of Ukraine
Image: Danny Howe
Catalin Cimpanu December 15, 2021

The FBI believes the HelloKitty ransomware gang operates out of Ukraine

The FBI believes the HelloKitty ransomware gang operates out of Ukraine

Law enforcement agencies typically keep information on threat actors private as much as possible in order to gather evidence, watch, and then orchestrate arrests before suspects can destroy evidence or seek shelter in countries without extradition treaties.

However, in a recent data breach disclosure, an Oregon healthcare organization appears to have accidentally revealed that the FBI believes that the HelloKitty (FiveHands) ransomware gang operates out of Ukraine.

“On October 21, the FBI notified OAG that it had seized an account belonging to HelloKitty, a Ukrainian hacking group, which contained OAG patient and employee files,” the Oregon Anesthesiology Group said in a breach disclosure on December 6.

“The FBI believes HelloKitty exploited a vulnerability in our third-party firewall, enabling the hackers to gain entry to the network,” it added.

While the HelloKitty ransomware, also known as FiveHands, has been active since January 2021, details about the gang’s possible location had not been previously shared or disclosed.

No mentions about their possible location were included in a CISA alert, an FBI IC3 alert, nor in reports from multiple security firms such as NCC GroupCado SecurityMalwarebytesPalo Alto NetworksSentinelOne, and Mandiant.

With Ukrainian police successfully detaining members of the REvilClop, and LockerGoga gangs, along with others, over the past six months, it is now a real possibility that this slip-up from OAG might have tipped off HelloKitty’s Ukrainian operators to the need to move to a new jurisdiction.

Currently, the HelloKitty gang is still active and engaged in attacks.

In most attacks, the gang has typically targeted unpatched SonicWall devices as entry points into corporate networks. The gang’s most high-profile victim was Polish game studio CD Projekt RED, in February this year.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.