https://www.bleepingcomputer.com/news/security/hellokitty-ransomware-rebrands-releases-cd-projekt-and-cisco-data/ BleepingComputer.com logo * * * * [ ] [Login] [Sign up] * * * * [ ] [Login] [Sign up] * News + Featured + Latest + Frontier Communications shuts down systems after cyberattack Frontier Communications shuts down systems after cyberattack + MITRE says state hackers breached its network via Ivanti zero-days MITRE says state hackers breached its network via Ivanti zero-days + 22,500 Palo Alto firewalls 22,500 Palo Alto firewalls "possibly vulnerable" to ongoing attacks + CrushFTP warns users to patch exploited zero-day "immediately" CrushFTP warns users to patch exploited zero-day "immediately" + Critical Forminator plugin flaw impacts over 300k WordPress sites Critical Forminator plugin flaw impacts over 300k WordPress sites + GitHub comments abused to push malware via Microsoft repo URLs GitHub comments abused to push malware via Microsoft repo URLs + Preparing for IT exams? This library of study guides is now under $30 Preparing for IT exams? This library of study guides is now under $30 + The Week in Ransomware - April 19th 2024 - Attacks Ramp Up The Week in Ransomware - April 19th 2024 - Attacks Ramp Up * Tutorials + Latest + Popular + How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11 How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11 + How to use the Windows Registry Editor How to use the Windows Registry Editor + How to backup and restore the Windows Registry How to backup and restore the Windows Registry + How to open a Windows 11 Command Prompt as Administrator How to open a Windows 11 Command Prompt as Administrator + How to start Windows in Safe Mode How to start Windows in Safe Mode + How to remove a Trojan, Virus, Worm, or other Malware How to remove a Trojan, Virus, Worm, or other Malware + How to show hidden files in Windows 7 How to show hidden files in Windows 7 + How to see hidden files in Windows How to see hidden files in Windows * Virus Removal Guides + Latest + Most Viewed + Ransomware + Remove the Theonlinesearch.com Search Redirect Remove the Theonlinesearch.com Search Redirect + Remove the Smartwebfinder.com Search Redirect Remove the Smartwebfinder.com Search Redirect + How to remove the PBlock+ adware browser extension How to remove the PBlock+ adware browser extension + Remove the Toksearches.xyz Search Redirect Remove the Toksearches.xyz Search Redirect + Remove Security Tool and SecurityTool (Uninstall Guide) Remove Security Tool and SecurityTool (Uninstall Guide) + How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo + How to remove Antivirus 2009 (Uninstall Instructions) How to remove Antivirus 2009 (Uninstall Instructions) + How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller + Locky Ransomware Information, Help Guide, and FAQ Locky Ransomware Information, Help Guide, and FAQ + CryptoLocker Ransomware Information Guide and FAQ CryptoLocker Ransomware Information Guide and FAQ + CryptorBit and HowDecrypt Information Guide and FAQ CryptorBit and HowDecrypt Information Guide and FAQ + CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ * Downloads + Latest + Most Downloaded + Qualys BrowserCheck Qualys BrowserCheck + STOPDecrypter STOPDecrypter + AuroraDecrypter AuroraDecrypter + FilesLockerDecrypter FilesLockerDecrypter + AdwCleaner AdwCleaner + ComboFix ComboFix + RKill RKill + Junkware Removal Tool Junkware Removal Tool * Deals + Categories + eLearning eLearning + IT Certification Courses IT Certification Courses + Gear & Gadgets Gear + Gadgets + Security Security * VPNs + Popular + Best VPNs Best VPNs + How to change IP address How to change IP address + Access the dark web safely Access the dark web safely + Best VPN for YouTube Best VPN for YouTube * Forums * More + Startup Database + Uninstall Database + Glossary + Chat on Discord + Send us a Tip! + Welcome Guide * Home * News * Security * HelloKitty ransomware rebrands, releases CD Projekt and Cisco data * * HelloKitty ransomware rebrands, releases CD Projekt and Cisco data By Bill Toulas * April 19, 2024 * 03:20 PM * 3 HelloKitty An operator of the HelloKitty ransomware operation announced they changed the name to 'HelloGookie,' releasing passwords for previously leaked CD Projekt source code, Cisco network information, and decryption keys from old attacks. The threat actor who made the announcement goes by the name 'Gookee/ kapuchin0' and claims to be the original creator of the now-defunct HelloKitty ransomware. As first reported by threat researcher 3xp0rt on Thursday, the rebranding coincides with the launch of a new dark web portal for HelloGookie. To celebrate the launch, the threat actor released four private decryption keys that can be used to decrypt files in older attacks, as well as internal information stolen from Cisco in a 2022 attack and passwords for the leaked source code for Gwent, Witcher 3, and Red Engine stolen from CD Projekt in 2021. As first spotted by VX-Underground, a group of developers have already compiled Witcher 3 from the leaked source code, sharing screenshots and videos of development builds. VX-Underground tweet One representative of the group compiling Witcher 3 known as 'sventek' told BleepingComputer that the leaked CD Projekt data is 450 GB uncompressed and contains source code for Witcher 3, Gwent, Cyberpunk, various console SDK (PS4/PS5 XBOX NINTENDO), and some build logs. BleepingComputer was told that the leaked source code contains binaries allowing the launch of a developer build of Witcher 3. The developers are now working on compiling the game from the source, sharing a video and screenshots with BleepingComputer that they say were taken from an early build. Screenshot of alleged Witcher 3 build compiled from leaked source codeScreenshot of alleged Witcher 3 build compiled from leaked source code Source: Sventek Sventek told BleepingComputer that they were previously able to compile Cyberpunk 2077 from the CD Projekt's leak and were behind the previous GTA V source code leak. Who is HelloKitty HelloKitty was a ransomware operation launched in November 2020, notorious for attacking corporate networks, stealing data, and encrypting systems. Their first high-profile attack occurred in February 2021, when they breached CD Projekt Red, the creator of the Cyberpunk 2077, Witcher 3, and Gwent titles. The ransomware gang encrypted the company's servers and stole source code as part of the attack. CD Projekt Red ransom noteCD Projekt Red ransom note Source: BleepingComputer HelloKitty later claimed they had sold the data on the dark web, including the code for the then unreleased Witcher 3. The ransomware operation gradually grew larger, releasing a Linux-focused variant in mid-2021 that targeted VMware ESXi, creating additional profit-making opportunities for its affiliates. In 2022, the data leak site for another ransomware operation, Yanluowang, was allegedly hacked to leak conversations between the members. These conversations revealed that Yanluowang was tightly associated with the developer of HelloKitty, who used the name Guki in the conversations. In October 2023, Gookee/kapuchin0 leaked the HelloKitty builder and source code on a hacker forum, marking the end of operations. Returns as HelloGookie The threat actor now claims that they rebranded the ransomware operation as HelloGookie but has not revealed any new victims and has no evidence of recent attacks. However, the threat actor has released stolen information from older attacks on CD Projekt Red and Cisco. The data leak site also includes four private decryption keys for an older version of the HelloKity ransomware encryptor, which could allow some victims to recover their files for free. Researchers told BleepingComputer that they are currently investigating the keys to determine which versions of the encryptor they work with. New HelloGookie siteNew HelloGookie site BleepingComputer The Cisco entry on the data leak site contains a list of NTLM (NT LAN Manager) hashes (encrypted account passwords) supposedly extracted during a security breach. Cisco previously admitted in 2022 that it had been hacked by the Yanluowang ransomware group, an incident allegedly limited to the theft of non-sensitive data from a single compromised account. Kapuchin0's access to this data and a shout-out to Yanluowang show a closer collaboration between the two groups than originally known. "Cisco is aware of the recently published information referencing a security incident in May 2022. A detailed summary of the incident can be found in this August 2022 blog post by Cisco Talos, our threat intelligence research organization," Cisco told BleepingComputer today regarding the leak of data. It remains to be seen whether HelloGookie will reach the operational success, attack volumes, and notoriety levels of HelloKitty. Related Articles: The Week in Ransomware - April 19th 2024 - Attacks Ramp Up Chipmaker Nexperia confirms breach after ransomware gang leaks data INC Ransom threatens to leak 3TB of NHS Scotland stolen data Nissan confirms ransomware attack exposed data of 100,000 people Insomniac Games alerts employees hit by ransomware data breach * Data Leak * Decryption Key * HelloGookie * HelloKitty * Ransomware * Rebrand * * * * * Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. * Previous Article * Next Article Comments * redapplesfruit Photo redapplesfruit - 17 hours ago + + "Sventek told BleepingComputer that they were previously able to compile Cyberpunk 2077 from the CD Projekt's leak and were behind the previous GTA V source code leak." Do you mean that "sventek" leaked the GTA V source code or that he has compiled the GTA V source code? * Sventek_667 Photo Sventek_667 - 5 hours ago + + Hey, Sventek here :) I compilled the GTA source and helped with getting "hosting" the files :) * redapplesfruit Photo redapplesfruit - 5 hours ago + + That's awesome that you were able to reply! Thanks! Post a Comment Community Rules You need to login in order to post a comment [Login] Not a member yet? Register Now You may also like: [INS::INS] Popular Stories * Frontier Frontier Communications shuts down systems after cyberattack * MITRE MITRE says state hackers breached its network via Ivanti zero-days Latest Downloads * ESET Uninstaller Logo ESET Uninstaller Version: 9.0.3.0 106,333 Downloads * Display Driver Uninstaller Logo Display Driver Uninstaller Version: 18.0.7.5 62,855 Downloads * AdwCleaner Logo AdwCleaner Version: 8.4.0.0 56M+ Downloads * Malwarebytes Anti-Malware Logo Malwarebytes Anti-Malware Version: 5.1.2 5M+ Downloads * Windows Repair (All In One) Logo Windows Repair (All In One) Version: 4.14.1 2M+ Downloads Follow us: * * * * * Main Sections * News * VPN Buyer Guides * SysAdmin Software Guides * Downloads * Virus Removal Guides * Tutorials * Startup Database * Uninstall Database * Glossary Community * Forums * Forum Rules * Chat Useful Resources * Welcome Guide * Sitemap Company * About BleepingComputer * Contact Us * Send us a Tip! * Advertising * Write for BleepingComputer * Social & Feeds * Changelog Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure Copyright @ 2003 - 2024 Bleeping Computer^(r) LLC - All Rights Reserved Login Username [ ] Password [ ] [*] Remember Me [ ] Sign in anonymously [Login] Sign in with Twitter button Sign in with Twitter --------------------------------------------------------------------- Not a member yet? Register Now Reporter Help us understand the problem. What is going on with this comment? * ( )Spam * ( )Abusive or Harmful * ( )Inappropriate content * ( )Strong language * ( )Other [ ] * [ ] Read our posting guidelinese to learn what content is prohibited. Submitting... SUBMIT