Linux ELF-64 versions of the HelloKitty ransomware targeted VMware ESXi servers and virtual machines (VMs) running on them.
▪ The HelloKitty ransomware, also known as Kitty ransomware, was first seen in November 2020.This ransomware family was named after a mutex it used called “HelloKittyMutex”.
▪ The ransomware gang targeted virtualizing platforms. Ransomware targeted VMware ESXi systems servers, so operators could encrypt all virtual machines on servers.
▪ HelloKitty will shut down all virtual machines on ESXi servers before encrypting files to prevent the files from being locked and to avoid data corruption.
▪ ESXi servers can be targeted by exploiting remote Code Execution (RCE) vulnerability present in ESXi servers. Hello Kitty uses RCE bug to upload the Linux Encryptor where they can execute the code and encrypt all the data on these servers.
▪ Windows version of Hello Kitty ransomware first Terminated processes and Windows services and then Encrypted files with .KITTY or .CRYPTED file extensions.