Ransomware is a dangerous entity used by dubious developers to attack and lock the user’s personal files. To unlock them, the developers demand a ransom fee. This kind of virus evolves with time and changes its algorithm consistently such that it is difficult to get a tool that can unlock the files. Therefore, in most cases, users are only left with two options; lose the files and get rid of the virus or pay the perpetrators the fee and hope they honor their promise of returning the files. This is what a video game studio CD Projekt experienced when attacked by the Hellokitty ransomware.
We all know that there is no honor among thieves. So, we strongly advise against paying the cybercriminals a dime even if they demonstrate their will to unlock your files by offering free service on a single file. Your files did not lock by chance, the very same people offering to unlock files are the ones who invaded your privacy and locked you out of accessing personal data. So, you have all the right to distrust any word they say.
HelloKitty Ransomware is a notorious entity that targets businesses and renames the affected files by adding .crypted at the end of the file name. When the program locks, it sends the decrypting key to the perpetrators, making them the only ones who can give you back access to your files.
What Does the HelloKitty Ransomware Do?
HelloKitty Ransomware is a bit different and complex compared to other viruses that fall in its category. To understand its behavior, let’s use the attack on CD Project as an example. The program copied the source codes from the servers related to the studio games, investor documents, accounting information, as well as legal and human resource files. Servers were also encrypted. The perpetrators followed up with a threat to make files public if the victims did not meet their ransom demand.
A good lesson to learn from this attack is that the victim did not give in to their demands. Instead, made it publicly known that they will not negotiate with the criminals and handed the case over to law enforcers.
Once HelloKitty Ransomware finishes the encryption process, it then drops a ransom note which reads as follows:
!!!!!!!!!!!!! Hello CD PROJEKT !!!!!!!!!!!!!
Your have been EPICALLY pwned!!
We have dumped FULL copies of the source codes from your Perforce server for Cyberpunk 2077, Witcher 3, Gwent and the unreleased version of Witcher!!!
We have also dumped all of your documents relating to accounting, administration, legal, HR, investor relations and more!
Also, we have encrypted all of your servers, but we understand that you can most likely recover from backups.
If we will not come to an agreement, then your source codes will be sold or leaked online and your documents will be sent to our contact in gaming journalism. Your public image will go down to the shitty even more people will see how you shitty your company functions. Investors will lose trust in your company and the stock will dive even lower!
You have 48 hours to contact us.
The above note was directed to CD Projekt after the attack. The company didn’t take time to make a move as it published a statement within 24 hours letting the public know about the attack. Other users randomly attacked by this virus receive a similar text file explaining the attack. It reads as follows:
Hello dear user.
Your files have been encrypted.
— What does it mean?!
Content of your files have been modified. Without special key you can’t undo that operation.
— How to get special key?
If you want to get it, you must pay us some money and we will help you.
We will give you special decryption program and instructions.
— Ok, how i can pay you?
1) Download TOR browser, if you don’t know how to do it you can google it.
2) Open this website in tor browser: hxxp://6x7dp6h3w6q3ugjv4yv5gycj3femb24kysgry5b44hhgfwc5ml5qrdad.onion/ d87c3f9baf85b2e9ab2a824bb78868294e19992e2e26b54f248abfa73c42a7c0
3) Follow instructions in chat.
The ultimate goal of a ransomware scheme is to tap into the victim’s fears, propel them to give in to the perpetrator’s demands. However, there is no guarantee that the victim will get their files and the criminals will not continue demanding more money. Also, paying them means you are supporting their movement, proving that it is beneficial and they should continue attacking innocent people.
How to Remove the HelloKitty Ransomware?
No tool can decrypt Hellokitty Ransomware locked files. Therefore, you must also be cautious when looking for solutions that you don’t end up being scammed by others. Many users have reported being scammed by other developers by selling them tools that are meant to decrypt ransomware locked files. However, they are left with useless software that cannot do the task it was bought for.
The best way to go about this situation is to get rid of the virus. Start by backing up all of the encrypted files on an isolated external drive. When done, you must disconnect the infected computer from the home or work network to stop the potential spread of Hellokitty Ransomware to other devices connected to the same network. If you had backups, do not perform any restorations until you are sure that the virus is completely removed.
Once you have prepared the system for the removal process, you can now apply the solutions below:
Solution #1: Use a Strong Anti-Malware Program to Scan, Detect, and Remove Ransomware
The internet spoils users with a plethora of choices. There are plenty of products but you just have to know the right one to use. We advise using a recommended anti-malware security software to get rid of the virus permanently.
- Install the security suite and run it.
- Select the Full Scan option and wait for the process to complete.
- Choose Remove or Quarantine to delete flagged content.
- Now, press Windows + I keys to launch the Settings window.
- Select the Apps category. and then go through the list of installed programs to identify the ones you don’t recognize and were installed just before or during the Hellokitty Ransomware attack.
- Once you identify a suspicious app, click on it and select the Uninstall button next to it.
- When done, close the window.
Solution #2: Delete all Encrypted Files from the Computer
Since you have already backed the encrypted files, you should wipe the original ones from the computer to make sure there are no traces of the virus. Here is how you can do it:
- Access File Explorer and identify the drive that has personal data. If your files share the same drive with the Windows OS, then you can skip this step.
- Right-click on the storage drive and select Format. Follow the prompts to complete formatting the disk.
- Now, press Windows and type Restore Point, and hit the Enter key.
- Under System Protection, click System Restore followed by Next.
- Now, select the Restore Point that was created before the infection.
- The system will then return to a healthy state.