Hello Kitty
Hello Kitty is a ransomware family, also referred to in the provided reporting as Hello Kitty/Five Hands. The content links it primarily to use by the Vice Society threat actor, which has repeatedly been described as deploying third-party ransomware strains rather than relying on a unique locker of its own. Vice Society has used Hello Kitty/Five Hands alongside other families such as Zeppelin, Rhysida, RedAlert, BlackCat, Quantum Locker, and INC in attacks. Reporting cited in the content states that Vice Society first appeared in summer 2021 and disproportionately targeted the education sector, especially K-12 institutions, while other reporting also associates the actor with attacks on healthcare and manufacturing organizations. The group’s intrusions involved exploitation of internet-facing applications and compromised valid accounts for initial access, with some reporting specifically noting exploitation of the PrintNightmare vulnerabilities CVE-2021-1675 and CVE-2021-34527 for privilege escalation. Associated tradecraft included network exploration and data exfiltration for double extortion, lateral movement using SystemBC, PowerShell Empire, Cobalt Strike, WMI, and tainted shared content, persistence via scheduled tasks and registry autostarts, DLL side-loading, masquerading, process injection, and sandbox evasion. The content also notes that Hello Kitty was among the ransomware variants most likely to re-extort victims in 2021 and that it held 5.4% market share in Q3 2021 ransomware attacks. Separately, the content states that former Conti members later infiltrated or took over multiple operations including Hello Kitty.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Vice Society was observed deploying INC ransomware against the health care industry; this group has a long-standing habit of cycling through third-party payloads such as BlackCat, Rhysida, Hello Kitty, Zeppelin, and Quantum Locker.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named ransomware family referenced as one of the third-party payloads used by Vice Society.
A third-party ransomware locker delivered in Vice Society attacks.
Ransomware operation cited as associated with post-Conti member migration/infiltration.
Ransomware strain historically associated with Vice Society activity.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.