Corero
Blog & News

HelloKitty Gang Adds DDoS Threat to Ransomware Attacks

FBI Issued Flash Alert in late October

The US Federal Bureau of Investigation (FBI) recently issued one of its flash alerts to warn organizations that the HelloKitty (also known as FiveHands) ransomware gang of cybercriminals has been observed, since January 2021, inflicting double extortion by installing ransomware, then threatening to launch a Distributed Denial of Service (DDoS) attack on the organization, unless it pays the ransom. It is not a surprise that cybercriminals are increasingly combining ransomware attacks with DDoS, as they are an easy to launch and effective weapon. For cybersecurity analysts who must be constantly vigilant, to protect their networks, such FBI alerts serve an important purpose.

According to the most recent FBI flash alert, the HelloKitty ransomware uses compromised credentials or known vulnerabilities in SonicWall products (CVE-2021-20016, CVE-2021-20021, CVE-2021-20022, CVE-2021-20023). Once inside the network, the threat actor will use publicly available penetration tool suites such as Cobalt Strike, Mandiant’s Commando, or PowerShell Empire preloaded with publicly available tools like Bloodhound and Mimikatz to map the network and escalate privileges before exfiltration and encryption.

DDoS Attacks Before and After Ransomware Infiltration

It is important to recognize that a ransomware attack may include a  DDoS attack that is intended to take down a firewall or create network noise, to distract IT security analysts while the threat actors breach the network to install their ransomware. In such a situation, the criminals may then threaten to launch a larger volumetric DDoS attack, after they have installed the ransomware, which would result in unwanted downtime that impacts business continuity.

Given the problems of locked files, or stolen data, the costs of a ransomware attack can be crippling to an organization, even if the ransom is not paid. When coupled with a volumetric DDoS attack this makes it very difficult or impossible for an organization to function properly, especially if that organization relies heavily on the Internet to conduct business.

The FBI states that it is best to not succumb to the demands of the cybercriminals, because there is no guarantee that they will stop the attack or unlock your data. Furthermore, paying the ransom rewards criminals and supports their ability to launch further attacks on other victims. Instead, the FBI asks that any organization, that has been victimized by a ransomware attack, reports it to their local FBI field office, so they can investigate, hopefully locate the encryption key, and identify and prosecute the criminals. The FBI statement also said that they may request information such as the following:

  • IP addresses identified as malicious or suspicious
  • Email addresses of the attackers
  • A copy of the ransom note
  • Ransom amount
  • Bitcoin wallets used by the attackers
  • Post-incident forensic reports
The Importance of Forensic Data

Forensic reports are an important aspect of cybersecurity; by understanding past attacks, one may prevent future attacks. A modern, intelligently automated, DDoS solution can analyze the vectors used in an attack, determine whether any are new, and ensure that the attack was blocked with no collateral damage occurring. Such mitigation systems can create accurate exact match filters to surgically defend against attacks. These exact match rules are essential to respond dynamically to the evolving nature of today’s sophisticated DDoS attacks.

To learn how to protect your organization from a ransomware DDoS attack, download our whitepaper, “Surviving Ransom Driven DDoS Extortion Campaigns.”

For over a decade, Corero has been providing state-of-the-art, highly-effective, real-time automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. Our SmartWall® DDoS mitigation solutions protect on-premise, cloud, virtual and hybrid environments. For more on Corero’s flexible deployment models, click here.  If you’d like to learn more, please contact us.