HelloKitty ransomware rebrands, releases CD Projekt and Cisco data

An operator of the HelloKitty ransomware operation announced they changed the name to 'HelloGookie,' releasing passwords for previously leaked CD Projekt source code, Cisco network information, and decryption keys from old attacks.

The threat actor who made the announcement goes by the name ‘Gookee/kapuchin0’ and claims to be the original creator of the now-defunct HelloKitty ransomware.

As first reported by threat researcher 3xp0rtblog on Thursday, the rebranding coincides with the launch of a new dark web portal for HelloGookie.

To celebrate the launch, the threat actor released four private decryption keys that can be used to decrypt files in older attacks, as well as internal information stolen from Cisco in a 2022 attack and passwords for the leaked source code for Gwent, Witcher 3, and Red Engine stolen from CD Projekt in 2021.

As first spotted by VX-Underground, a group of developers have already compiled Witcher 3 from the leaked source code, sharing screenshots and videos of development builds.

One representative of the group compiling Witcher 3 known as 'sventek' told BleepingComputer that the leaked CD Projekt data is 450 GB uncompressed and contains source code for Witcher 3, Gwent, Cyberpunk, various console SDK (PS4/PS5 XBOX NINTENDO), and some build logs.

BleepingComputer was told that the leaked source code contains binaries allowing the launch of a developer build of Witcher 3. The developers are now working on compiling the game from the source, sharing a video and screenshots with BleepingComputer that they say were taken from an early build.

Screenshot of alleged Witcher 3 build compiled from leaked source code
Source: Sventek

Sventek told BleepingComputer that they were previously able to compile Cyberpunk 2077 from the CD Projekt's leak and were behind the previous GTA V source code leak.

Who is HelloKitty

HelloKitty was a ransomware operation launched in November 2020, notorious for attacking corporate networks, stealing data, and encrypting systems.

Their first high-profile attack occurred in February 2021, when they breached CD Projekt Red, the creator of the Cyberpunk 2077, Witcher 3, and Gwent titles. The ransomware gang encrypted the company's servers and stole source code as part of the attack.

CD Projekt Red ransom note
Source: BleepingComputer

HelloKitty later claimed they had sold the data on the dark web, including the code for the then unreleased Witcher 3.

The ransomware operation gradually grew larger, releasing a Linux-focused variant in mid-2021 that targeted VMware ESXi, creating additional profit-making opportunities for its affiliates.

In 2022, the data leak site for another ransomware operation, Yanluowang, was allegedly hacked to leak conversations between the members. These conversations revealed that Yanluowang was tightly associated with the developer of HelloKitty, who used the name Guki in the conversations.

In October 2023, Gookee/kapuchin0 leaked the HelloKitty builder and source code on a hacker forum, marking the end of operations.

Returns as HelloGookie

The threat actor now claims that they rebranded the ransomware operation as HelloGookie but has not revealed any new victims and has no evidence of recent attacks.

However, the threat actor has released stolen information from older attacks on CD Projekt Red and Cisco. The data leak site also includes four private decryption keys for an older version of the HelloKity ransomware encryptor, which could allow some victims to recover their files for free.

Researchers told BleepingComputer that they are currently investigating the keys to determine which versions of the encryptor they work with.

New HelloGookie site
BleepingComputer

The Cisco entry on the data leak site contains a list of NTLM (NT LAN Manager) hashes (encrypted account passwords) supposedly extracted during a security breach.

Cisco previously admitted in 2022 that it had been hacked by the Yanluowang ransomware group, an incident allegedly limited to the theft of non-sensitive data from a single compromised account.

Kapuchin0's access to this data and a shout-out to Yanluowang show a closer collaboration between the two groups than originally known.

"Cisco is aware of the recently published information referencing a security incident in May 2022. A detailed summary of the incident can be found in this August 2022 blog post by Cisco Talos, our threat intelligence research organization," Cisco told BleepingComputer today regarding the leak of data.

It remains to be seen whether HelloGookie will reach the operational success, attack volumes, and notoriety levels of HelloKitty.