Cybersecurity experts have detected a concerning revival of the HelloKitty ransomware, with new variants actively targeting Windows, Linux, and ESXi environments simultaneously.First observed in October 2020, HelloKitty has evolved from its origins as a DeathRansom ransomware fork, expanding its targeting capabilities and refining its attack techniques.Security researchers have identified at least 11 new HelloKitty samples in circulation since September 2024, indicating a significant operational resurgence.The revamped ransomware maintains its core functionality of encrypting victim files and appending extensions such as ‘CRYPTED,’ ‘CRYPT,’ or ‘KITTY’ to compromised data.Unlike many ransomware families that prominently display their branding, HelloKitty customizes ransom notes to directly address victims by name, creating a more personalized extortion approach.The ransomware employs Visual C++ coding and frequently utilizes UPK packing to compress executables and complicate reverse engineering efforts.THE RAVEN FILE researchers [identified](https://theravenfile.com/2025/04/10/hellokitty-resurfaced/) that the latest HelloKitty variants display an unusual pattern of geographic dispersion, with many samples initially uploaded from Chinese IP addresses despite previous attribution suggestions linking the operation to Ukraine.According to their comprehensive year-long research project analyzing HelloKitty samples, the malware has undergone significant technical modifications while maintaining its distinctive encryption approach.The ransomware has demonstrated [persistence](https://cybersecuritynews.com/malware-com-hijacking-persistence/) across multiple years, with evidence of three distinct operational batches: the original 2020 deployment, a Christmas 2020 batch that shared characteristics with FiveHands ransomware, and the newest 2024 variants that show enhanced capabilities. .webp) Infection chain (Source — The Raven File)While earlier campaigns primarily targeted gaming companies, healthcare services, and power generation facilities, the latest campaign appears to be casting a wider net across sectors.Despite periods of dormancy, HelloKitty consistently returns with technical improvements.Most recently, security analysts detected potential new variants in February 2025, suggesting ongoing development efforts even as older command and control infrastructure has disappeared from the [dark web](https://cybersecuritynews.com/dark-web-market-threat-predictions-for-2025/).**Sophisticated Encryption Mechanisms**—————————————HelloKitty’s encryption process represents one of its most technically advanced features, employing different approaches depending on the target environment.On Windows systems, it implements a combination of AES-128 and NTRU encryption, while [Linux environments](https://cybersecuritynews.com/ransomhub-evolves-to-attack-windows-esxi-linux/) face AES-256 paired with ECDH cryptography..webp) Ransom Note (Source — The Raven File)The encryption process begins when HelloKitty embeds an RSA-2048 public key that serves dual purposes: it becomes the victim identifier (after SHA256 hashing) within the ransom note and functions as the encryption key for each file’s symmetric key.HelloKitty generates a 32-byte seed value derived from the CPU timestamp, then produces a Salsa20 key to encrypt a second 32-byte seed.These values undergo XOR operations to create the final 32-byte key that drives AES file encryption. // Simplified representation of HelloKitty’s key generation process seed1 = GenerateFromCPUTimestamp(32); // 32-byte timestamp-based seed seed2 = GenerateRandomBytes(32); // Second 32-byte seed salsa20_key = DeriveSalsa20Key(seed1); encrypted_seed2 = Salsa20Encrypt(seed2, salsa20_key); final_key = XOR(seed1, encrypted_seed2); // Final AES encryption keyAfter encrypting each file, HelloKitty appends metadata including the original file size, a magic value of ‘DE C0 AD BA,’ and the AES key (encrypted with the RSA public key).The process concludes by adding four magic bytes ‘DA DC CC AB’ to the encrypted file’s end, serving as a signature for files processed by the ransomware.**Find this News Interesting! Follow us on [Google News](https://news.google.com/publications/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&gl=IN&ceid=IN:en), [LinkedIn](https://www.linkedin.com/company/cybersecurity-news/), -& [X](https://x.com/The_Cyber_News) to Get Instant Updates!**### **Also Read:**> [Ivanti 0-day RCE Vulnerability Exploitation Details Disclosed](https://cybersecuritynews.com/ivanti-0-day-rce-vulnerability/)The post [HelloKitty Ransomware Resurafced Targeting Windows, Linux, -& ESXi Environments](https://cybersecuritynews.com/hellokitty-ransomware-resurafced/) appeared first on [Cyber Security News](https://cybersecuritynews.com).
Related Tags:
NAICS: 335 – Electrical Equipment
Appliance
Component Manufacturing
NAICS: 519 – Web Search Portals
Libraries
Archives
Other Information Services
NAICS: 62 – Health Care And Social Assistance
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 221 – Utilities
NAICS: 622 – Hospitals
NAICS: 92 – Public Administration
NAICS: 339 – Miscellaneous Manufacturing
NAICS: 22 – Utilities
Associated Indicators: