S0617: HELLOKITTY
HELLOKITTY is a ransomware written in C++ that shares similar code structure and functionality with DEATHRANSOM and FIVEHANDS. HELLOKITTY has been used since at least 2020, targets have included a Polish video game developer and a Brazilian electric power company.[1]
Analyst context for executives and security teams
HELLOKITTY matters because it is Windows ransomware associated in ATT&CK with discovery, WMI-based execution, encryption for impact, and actions that can inhibit recovery. For leaders, the practical issue is not just malware identification; it is whether the organization can detect pre-encryption discovery, protect recovery options, and restore operations if shared drives or business-critical Windows systems are encrypted.
Executive priority
Prioritize this as an operational resilience and incident readiness concern. The ATT&CK relationships point to behaviors that affect business continuity: identifying processes and storage, discovering network shares, executing through Windows Management Instrumentation, encrypting data, and weakening recovery. Executives should ask whether backup and restore evidence is current, whether SOC teams can see WMI and discovery activity on Windows endpoints, and whether ransomware response playbooks include decisions for isolating affected systems, validating backups, and communicating operational impact.
Technical view
For SOC, detection engineering, and IR teams, validate coverage around the related techniques: T1047 Windows Management Instrumentation, T1057 Process Discovery, T1135 Network Share Discovery, T1680 Local Storage Discovery, T1486 Data Encrypted for Impact, and T1490 Inhibit System Recovery. Because the official ATT&CK entry does not provide malware-specific detection guidance, focus on behavior-based monitoring for Windows ransomware tradecraft rather than HELLOKITTY-specific indicators. Confirm visibility into WMI execution, process enumeration, share enumeration, storage/volume discovery, abnormal file encryption patterns, and attempts to disable or remove recovery mechanisms.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- WMI activity and remote/local WMI execution logs
- Windows event logs relevant to service, process, and administrative activity
- Network share access and SMB-related audit telemetry
- File system activity showing high-volume file modification or encryption-like behavior
Detection direction
- Validate that ransomware detections do not rely only on final encryption behavior; discovery of processes, shares, and storage may provide earlier warning.
- Tune detections for unusual WMI execution patterns, especially when paired with discovery commands or broad access to network shares.
- Correlate process discovery, network share discovery, and local storage discovery with subsequent file modification spikes or recovery-inhibition events.
- Review false positives from legitimate administration tools, backup software, inventory scanners, and IT automation that may use WMI or enumerate systems.
- Ensure detection content is scoped to the supported malware platform from the ATT&CK object: Windows.
Mitigation priorities
- Confirm resilient, tested, and access-controlled backups, including protection against deletion or tampering with recovery mechanisms.
- Restrict and monitor administrative use of WMI, especially remote execution paths and privileged accounts.
- Harden access to network shares using least privilege and audit high-risk shared locations that could amplify ransomware impact.
- Segment critical Windows systems and business-critical file repositories to reduce blast radius.
- Maintain incident response procedures for rapid isolation, backup validation, restoration prioritization, and executive decision-making during ransomware events.
Analyst notes and limits
The official ATT&CK description identifies HELLOKITTY as C++ ransomware with similar code structure and functionality to DEATHRANSOM and FIVEHANDS, used since at least 2020, with cited targets including a Polish video game developer and a Brazilian electric power company. The most useful defensive value comes from the related behaviors: WMI execution, discovery of processes, shares and local storage, data encryption, and inhibition of recovery.
The supplied ATT&CK object has no official detection text, no listed tactics on the malware object itself, no aliases, and only Windows as the malware platform. Related techniques include broader platform lists, but those should not be interpreted as HELLOKITTY platform support. Local telemetry, architecture, backup design, and administrative baselines are required to determine actual exposure and detection coverage.
HELLOKITTY
HELLOKITTY is a ransomware written in C++ that shares similar code structure and functionality with DEATHRANSOM and FIVEHANDS. HELLOKITTY has been used since at least 2020, targets have included a Polish video game developer and a Brazilian electric power company.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1486 | Data Encrypted for Impact | HELLOKITTY can use an embedded RSA-2048 public key to encrypt victim data for ransom.CitationFireEye FiveHands April 2021 |
| Enterprise | T1490 | Inhibit System Recovery | HELLOKITTY can delete volume shadow copies on compromised hosts.CitationFireEye FiveHands April 2021 |
| Enterprise | T1135 | Network Share Discovery | HELLOKITTY has the ability to enumerate network resources.CitationFireEye FiveHands April 2021 |
| Enterprise | T1047 | Windows Management Instrumentation | HELLOKITTY can use WMI to delete volume shadow copies.CitationFireEye FiveHands April 2021 |
| Enterprise | T1680 | Local Storage Discovery | HELLOKITTY can enumerate logical drives on a target system.CitationFireEye FiveHands April 2021 |
| Enterprise | T1057 | Process Discovery | HELLOKITTY can search for specific processes to terminate.CitationFireEye FiveHands April 2021 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | d9842bc05cbc… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye FiveHands April 2021
McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.
Open source URL -
[2]
mitre-attack S0617Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.