Attention: We have transitioned to a new AAD or Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access. While the app may appear unverified, you can confirm its legitimacy by verifying the App ID provided.
The HelloKitty ransomware group has been observed to use a Linux variant to target VMware’s ESXi virtual machine platform. They use the tactic known as double extortion, wherein they exfiltrate user information before encrypting their data.
This ransomware encrypts the data on your disk and can stop you from using your device or accessing your data. It encrypts files, renders them inaccessible, and demands payment for the decryption key.
For information about ransomware and other human-operated ransomware campaigns, read the following blog post:
Users should have Microsoft Defender updated to help mitigate the threat. Use Defender for regular system scans and removal of detected possible threats.
There is no one-size-fits-all response if you have been victimized by ransomware. To recover files, you can restore backups. There is no guarantee that paying the ransom will give you access to your files.
The following ransom note is displayed on the affected user’s computer:
The file extension .crypt is appended to encrypted files. The ransomware checks for total encrypted files and files to be encrypted. It also checks for any running virtual machines (VMs) and terminates the process if found:
Prevention
Guidance for individual users
Keep your operating system and antivirus products up to date.
Go to aka.ms/ransomwaresolutions for general information and frequently asked questions about ransomware, defense against ransomware, and ransomware incident response playbook.
To reduce the possible impact of exploited vulnerabilities, avoid opening any executable from unknown sources unless you’re confident that it comes from a legitimate source.
Run periodic diagnostic scans with Microsoft Defender.
Read about preventing malware infection to learn more about preventing ransomware or other malware from affecting individual devices.
Guidance for enterprise administrators
Ransomware more often attacks enterprises than individuals. Following these mitigation steps can help prevent ransomware attacks:
Keep backups so you can recover data affected by ransomware and destructive attacks. Use controlled folder access to prevent unauthorized applications from modifying protected files.
Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
Run Endpoint Detection and Response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
Turn on tamper protection features to prevent attackers from stopping security services.
Educate end users about protecting personal and business information in social media, filtering unsolicited communication, identifying lures in spear-phishing emails and watering holes, and reporting reconnaissance attempts and other suspicious activities.
Devices affected by this ransomware exhibit the following symptom:
A ransom note on the computer
Files with .crypt appended to the file extension. These files have been encrypted by the ransomware.
