‘Death Kitty’: The ransomware that may be linked to the Transnet hack

Here’s what we know about Death Kitty, an obscure computer virus that is commonly used by Eastern European hacker groups.



Ransomware commonly used by hacker groups from Eastern Europe or Russia may be responsible for the cyber attack on state-owned South African logistics company, Transnet. The attack, which breached the company’s IT security on 22 July, nearly brought operations at the country’s ports to a complete halt.


On Wednesday evening, 28 July, the Department of Public Enterprises, announced that Transnet restored full operations at all its ports.

Pravin Gordhan’s ministry also said the preliminary assessment of the cyber attack indicated that none of Transnet or its customer data was compromised during the attack and that the company is working on strengthening the weaknesses identified in its IT systems.

A Bloomberg report said Transnet was targeted with a strain of ransomware known by many names such as “Death Kitty”, “HelloKitty” and “Five Hands.” The strain of ransomware has been linked to several noteworthy data breaches that were carried out by hacker groups from Eastern Europe or Russia, according to cybersecurity experts.

These kinds of attacks are commonly accompanied by a “ransom letter” hence the name. Bloomberg claims it saw a copy of the ransom note that apparently claimed to have encrypted a substantial amount of Transnet data.


Earlier this year, on 9 February, Polish game developers CD Project Red were believed to be hit by a “HelloKitty” ransomware attack, according to Malwarebytes Labs – the blog associated with the antivirus software. The makers of The Witcher series and Cyberpunk 2077 announced the hack to their Twitter followers, posted the ransom note, and declared that they would not meet the hackers’ demands.

Brazilian electricity company CEMIG revealed a similar attack in December 2020. It has since been confirmed that HelloKitty ransomware was used in the hack that stole a large amount of data from the company but did not cause any damage.

Malwarebytes said HelloKitty ransomware – and its various names – was first detected in November 2020. “Some researchers refer to HelloKitty as DeathRansom – a ransomware family that, based on its earlier variants, merely renames target files and doesn’t encrypt them.”

Malwarebytes speculates that HelloKitty was built from DeathRansom and therefore its software detects the ransomware as “Ransome.DeathRansom.”

According to the antivirus company, the “actors” behind HelloKitty are not as active as other hacker groups that use different ransomware and therefore little is known about the virus. This corresponds with what cybersecurity experts told Bloomberg – gangs associated with Death Kitty reportedly keep a lower profile and do not advertise their services online.

Current cybersecurity intelligence suggests that Death Kitty ransomware infects systems via phishing emails or via secondary infection from an initial malware attack.