Menu
Browse

Cyber Threat Actor: HelloKitty

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Crime Syndicate
Russia
58 incidents
Profile

The threat actor known as Vice Society also operates under the aliases HelloKitty and FiveHands and is believed to be based in Russia. It has been observed since mid‑2021 as a ransomware‑as‑a‑service group that seeks financial gain through encryption of victim data and double extortion tactics, threatening to leak stolen information if a ransom is not paid. The group’s public statements and victim reports indicate a focus on organizations with weaker security controls where the likelihood of compromise and ransom payout is higher, a pattern noted in multiple sector‑specific incidents.

Vice Society’s tactics include exploiting zero‑day vulnerabilities, such as the BATM‑4780 flaw in the General Bytes ATM management platform that allowed remote deployment of malicious Java applications to steal cryptocurrency. The actors have used the PrintNightmare vulnerability for privilege escalation, employing a custom DLL to bypass Windows protections. Lateral movement is facilitated through tools like proxychain and impacket, and they deliberately target backup systems and degrade ESXi virtualization servers to impede recovery efforts. In addition to deploying their own HelloKitty ransomware variant, they have been seen leveraging other ransomware families including BlackCat, QuantumLocker, Zeppelin and RedAlert during attacks on educational targets.

Notable operations illustrate the group’s breadth: a zero‑day attack on General Bytes Bitcoin ATMs resulted in the theft of approximately $1.5 million in cryptocurrency; the Italian banking association ABI suffered a leak of employee payroll, health and credential data after Vice Society claimed responsibility; Puerto Rico’s water authority had customer passports and driver’s licenses exposed following a ransomware intrusion; UK educational institutions such as Wymondham College and Lewis & Clark College experienced system disruption and data leaks; the French maternity hospital Hôpital Pierre Rouquès – Les Bluets saw 150 GB of files exfiltrated; and the Los Angeles Unified School District was hit with a large‑scale ransomware event that disrupted IT services across the district.

Attribution remains limited to geographic indicators, with open‑source reporting placing the actors’ infrastructure in Russia, though no direct state sponsorship has been demonstrated in the sources. The group’s self‑described motivation centers on monetary gain and notoriety, as reflected in their statements that attacked entities provide either “glory or money.” Their observed activity spans multiple continents and sectors, underscoring a financially driven ransomware operation that adapts its tooling to exploit newly disclosed weaknesses while maintaining a consistent pattern of data theft and extortion. This concludes the factual profile based solely on the provided information.

Incidents
Attributed incidents available to members
58 incidents
Sources
Sources available to members
39 sources