FBI Links HelloKitty Ransomware to Ukrainian Operators

A medical organization in Oregon, which recently reported a data breach, has inadvertently revealed that the FBI believes the hacker group behind the HelloKitty (also known as FiveHands) ransomware operates out of Ukraine.

Typically, law enforcement agencies do not disclose information about hacker groups while investigations are ongoing, as they are still gathering evidence, conducting surveillance, and preparing for possible arrests. Premature disclosure could allow suspects to destroy evidence or escape to countries without extradition agreements with the United States. However, in this case, the “leak” did not come from law enforcement itself.

The recently breached company, Oregon Anesthesiology Group (OAG), stated in an official press release:

“On October 21, the FBI notified OAG about the seizure of an account belonging to the Ukrainian hacker group HelloKitty, which contained files of OAG patients and employees. The FBI believes that HelloKitty exploited a vulnerability in a third-party firewall, allowing the hackers to access our network.”

Although the HelloKitty ransomware, also known as FiveHands, has been active since January 2021, details about the possible location of its operators had not been previously disclosed. There were no mentions of this in warnings from CISA or FBI IC3, nor in numerous cybersecurity company reports, including those from NCC Group, Cado Security, Malwarebytes, Palo Alto Networks, SentinelOne, and Mandiant.

The group is primarily known for the high-profile hack of CD Projekt Red earlier this year. The hackers remain active and continue to carry out ransomware attacks.