HelloKitty ransomware source code leaked on hacking forum


Level 79
Thread author
Honorary Member
Top Poster
Content Creator
Apr 24, 2016
A threat actor has leaked the complete source code for the first version of the HelloKitty ransomware on a Russian-speaking hacking forum, claiming to be developing a new, more powerful encryptor.

The leak was first discovered by cybersecurity researcher 3xp0rt, who spotted a threat actor named 'kapuchin0' releasing the "first branch" of the HelloKitty ransomware encryptor.

While the source code was released by someone named 'kapuchin0,' 3xp0rt told BleepingComputer that the threat actor also utilizes the alias 'Gookee.'

A threat actor named Gookee has been previously associated with malware and hacking activity, attempting to sell access to Sony Network Japan in 2020, linked to a Ransomware-as-a-Service operation called 'Gookee Ransomware,' and trying to sell malware source code on a hacker forum.

3xp0rt believes kapuchin0/Gookee is the developer of the HelloKitty ransomware, who now says, "We are preparing a new product and much more interesting than Lockbit."

The released hellokitty.zip archive contains a Microsoft Visual Studio solution that builds the HelloKitty encryptor and decryptor and the NTRUEncrypt library that this version of the ransomware uses to encrypt files.

Ransomware expert Michael Gillespie confirmed to BleepingComputer that this is the legitimate source code for HelloKitty used when the ransomware operation first launched in 2020.

While the release of ransomware source code can be helpful for security research, the public availability of this code does have its drawbacks.

As we saw when HiddenTear was released (for "educational reasons") and Babuk ransomware source code was released, threat actors quickly used the code to launch their own extortion operations.

To this day, over nine ransomware operations continue using the Babuk source code as the basis for their own encryptors.


Level 42
Honorary Member
Top Poster
Content Creator
Apr 13, 2013
This is a bit late as Kitty had been deconstructed quite some time ago and certain folk have been riffing off of it and releasing similar nastier feline stuff for many months (Ophelia seeks the PurrrrFect variant).

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.