Breach Monitoring News Feed

HelloKitty is a ransomware family first observed in November 2020, named after a string found in its binary. It operates as a human-operated, big-game hunting ransomware, manually deployed after network intrusion and reconnaissance. HelloKitty uses a double-extortion model—encrypting files and threatening to leak stolen data on a Tor-based site. The malware encrypts files using AES-256 in CBC mode with RSA-2048 to protect keys, appending extensions such as .crypted or campaign-specific suffixes. Distribution typically occurs via compromised RDP credentials, phishing, or exploitation of known vulnerabilities. The group gained notoriety in February 2021 after attacking CD Projekt Red, the developer of The Witcher and Cyberpunk 2077, stealing source code for several games. Subsequent variants have targeted both Windows and Linux systems, including ESXi servers.

Help_restoremydata is a ransomware variant identified around late 2024/early 2025, notable for appending the .help_restoremydata extension to encrypted files. It changes the victim’s desktop wallpaper and drops a ransom note titled HOW_TO_RECOVERY_FILES.html to instruct victims on how to pay for decryption. Initial discovery appears to stem from underground forum monitoring and threat intelligence assessments, marking it as emerging but not widely distributed. Technical details beyond these behaviors—such as encryption algorithms or distribution mechanisms—have not been documented in major cybersecurity advisories. .help_restoremydata ext : .help_restoremydata note : HOW_TO_RECOVERY_FILES.html

Hermes is a ransomware family first observed in the wild in February 2017, believed to have been developed by a group operating out of Asia. It originally appeared as a Ransomware-as-a-Service (RaaS) offering on underground forums but later saw deployment in targeted attacks. Hermes uses AES-256 encryption to lock victim files and appends a variety of extensions (including .hrm and campaign-specific variants). The ransom note, often named DECRYPT_INFORMATION.html or DECRYPT_INFORMATION.txt, provides payment instructions via email. The ransomware gained notoriety in 2018 when it was used as a destructive wiper in the Far Eastern International Bank (FEIB) heist in Taiwan, where attackers deployed Hermes to cover their tracks after a SWIFT fraud operation. Over time, Hermes code has been re-used and integrated into other ransomware families, including some Ryuk builds, suggesting code sharing or purchase from the original developer. Distribution vectors have included phishing campaigns, malicious attachments, and exploitation of RDP services.

Hive is a strain of ransomware that was first discovered in June 2021. Hive was designed to be used by Ransomware-as-a-service providers, to enable novice cyber-criminals to launch ransomware attacks on healthcare providers, energy providers, charities, and retailers across the globe. In 2022 there was a switch from GoLang to Rust.

HolyGhost is a ransomware group first publicly reported in July 2022, believed to be operated by a North Korean state-sponsored threat actor tracked as APT43 or Andariel, a subgroup of the Lazarus Group. The group has been active since at least June 2021, using a double-extortion model that combines encryption of victim files with threats to leak stolen data via a Tor site. Early HolyGhost variants (BTLC_C.exe) used a custom file extension .h0lyenc, while later builds added more robust encryption, obfuscation, and evasion capabilities. Targeted victims include small and medium-sized businesses in manufacturing, finance, education, and event planning, primarily in the United States, South Korea, Brazil, and India. Intrusion methods include exploitation of vulnerable public-facing applications, credential theft, and possibly the use of purchased access from other threat actors. Unlike purely criminal groups, HolyGhost is suspected of being leveraged for both revenue generation and strategic cyber operations in support of DPRK objectives.

Hotarus is a ransomware and data extortion group first observed in March 2021, believed to be linked to threat actors of Latin American origin. The group has targeted entities in South America and the United States, including financial institutions, government agencies, and private companies. Hotarus is known for deploying both custom ransomware and publicly available tools, alongside stealing sensitive information for double-extortion purposes. The group has been observed exploiting vulnerable web services, using stolen credentials, and leveraging publicly available post-exploitation frameworks to gain persistence in victim networks. Encrypted files are typically appended with extensions such as .hotarus or campaign-specific identifiers, and ransom notes direct victims to communicate via encrypted email services. Notably, in some campaigns, Hotarus deployed data leak threats without encrypting files, focusing solely on exposure as a pressure tactic.

Hunters International is a ransomware group first identified in October 2023, believed to have taken over or rebranded from the now-defunct Hive ransomware operation. Shortly after its emergence, security researchers found significant code overlaps with Hive, suggesting that Hunters International either acquired Hive’s source code or involved former Hive developers. The group operates a double-extortion model—encrypting victim data and threatening to leak it on a Tor-based site. It has targeted organizations worldwide across healthcare, manufacturing, education, and government sectors. The ransomware is written in Rust, supports both Windows and Linux/ESXi environments, and appends extensions such as .locked to encrypted files. Initial access is typically obtained via compromised RDP credentials, phishing campaigns, or vulnerabilities in exposed systems.