- Los CIO consideran que la gestión de costes puede acabar con el valor de la IA
- 칼럼 | AI 에이전트, 지금까지의 어떤 기술과도 다르다
- The $23 Echo Dot deal is a great deal to upgrade your smart home this Black Friday
- Amazon's Echo Spot smart alarm clock is almost half off this Black Friday
- The newest Echo Show 8 just hit its lowest price ever for Black Friday
FBI’s investigation accidentally revealed the HelloKitty ransomware gang operates out of Ukraine
While investigating a data breach suffered by a healthcare organization, FBI accidentally revealed that it believes that the HelloKitty ransomware gang operates out of Ukraine.
The investigation conducted by FBI on a recent data breach suffered by an Oregon healthcare organization lead to the accidental revelation that the FBI believes that the HelloKitty ransomware gang (Five Hands) operates out of Ukraine.
“Oregon Anesthesiology Group, P.C. (OAG) experienced a cyberattack on July 11, after which we were briefly locked out of our servers.” reads the notice of data breach published by the Oregon Anesthesiology Group. “On October 21, the FBI notified OAG that it had seized an account belonging to HelloKitty, a Ukrainian hacking group, which contained OAG patient and employee files. The FBI believes HelloKitty exploited a vulnerability in our third-party firewall, enabling the hackers to gain entry to the network.”
The HelloKitty gang has been active since January 2021 and it is still active. In November, the US FBI has published a flash alert warning private organizations of the evolution of the HelloKitty ransomware (aka FiveHands). According to the alert, the ransomware gang is launching distributed denial-of-service (DDoS) attacks as part of its extortion activities.
The ransomware gang targets their victims’ websites with DDoS attacks if they refuse to pay the ransom. The HelloKitty ransomware group, like other ransomware gangs, implements a double extortion model, stealing sensitive documents from victims before encrypting them. Then the threat actors threaten to leak the stolen data to force the victim into paying the ransom.
The HelloKitty/FiveHands gang is known to demand varying ransom payments in Bitcoin (BTC) that are commensurate with the economic capabilities of the victims.
The group’s operators use several techniques to breach the targets’ networks, such as exploiting SonicWall flaws (e.g., CVE-2021-20016, CVE-2021-20021, CVE-2021-20022, CVE-2021-2002) or using compromised credentials.
In May, US CISA also published an analysis report (AR21-126A) on the FiveHands ransomware, anyway US authorities never disclosed the possible location of the gang.
The accidental revelation can now suggest the gang temporarily suspend its operations moving its activities to another country where local police will be more indulgent.
Follow me on Twitter: @securityaffairs and Facebook
Pierluigi Paganini
International Editor-in-Chief
Cyber Defense Magazine