Threat Actor Profile
Low Cybercriminal
Description

Unit42 states that HelloKitty is a ransomware family that first surfaced at the end of 2020, primarily targeting Windows systems. The malware family got its name due to its use of a Mutex with the same name: HelloKittyMutex. The ransomware samples seem to evolve quickly and frequently, with different versions making use of the .crypted or .kitty file extensions for encrypted files. Some newer samples make use of a Golang packer that ensures the final ransomware code is only loaded in memory, most likely to evade detection by security solutions.

Confidence Score
100%
Tags
ransomware ransomware.live
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'added_date': None,
 'client': '2003264@sit.singaporetech.edu.sg',
 'description': 'Unit42 states that HelloKitty is a ransomware family that '
                'first surfaced at the end of 2020, primarily targeting '
                'Windows systems. The malware family got its name due to its '
                'use of a Mutex with the same name: HelloKittyMutex. The '
                'ransomware samples seem to evolve quickly and frequently, '
                'with different versions making use of the .crypted or .kitty '
                'file extensions for encrypted files. Some newer samples make '
                'use of a Golang packer that ensures the final ransomware code '
                'is only loaded in memory, most likely to evade detection by '
                'security solutions.\n',
 'firstseen': None,
 'group': 'hellokitty',
 'has_negotiations': False,
 'has_ransomnote': True,
 'lastseen': None,
 'locations': [{'available': False,
                'fqdn': '3r6n77mpe737w4sbxxxrpc5phbluv6xhtdl5ujpnlvmck5tc7blq2rqd.onion',
                'slug': 'http://3r6n77mpe737w4sbxxxrpc5phbluv6xhtdl5ujpnlvmck5tc7blq2rqd.onion',
                'title': 'News',
                'type': 'DLS'}],
 'negotiation_count': 0,
 'ransomnotes_count': 1,
 'tiaras_metadata': {'has_negotiations': False,
                     'has_ransomnote': True,
                     'locations': [{'available': False,
                                    'fqdn': '3r6n77mpe737w4sbxxxrpc5phbluv6xhtdl5ujpnlvmck5tc7blq2rqd.onion',
                                    'slug': 'http://3r6n77mpe737w4sbxxxrpc5phbluv6xhtdl5ujpnlvmck5tc7blq2rqd.onion',
                                    'title': 'News',
                                    'type': 'DLS'}],
                     'negotiation_count': 0,
                     'ransomnotes_count': 1,
                     'ransomware_live_group': 'hellokitty',
                     'tools': {},
                     'url': 'https://www.ransomware.live/group/hellokitty',
                     'victims': 0,
                     'vulnerabilities': []},
 'tiaras_source': 'ransomware.live',
 'tools': {},
 'ttps': [],
 'url': 'https://www.ransomware.live/group/hellokitty',
 'victims': 0,
 'vulnerabilities': []}
Quick Actions
Back to Threat Actors
Dashboard Home