In response to an incident believed to be in the form of Hitobito ransomware,
we would like to confirm the situation and provide a warning as follows.

Hitobito ransomware

The ransomware in question is called Hitobito and has a file name.extension. hitobiyo It appears that all files are being changed.

How it works

file version

[Figure 1 Ransomware executable file compiler information]

[Figure 2 File information in window properties]

Ransomware operation characteristics

• Based on VB .NET, the ransomware itself uses a commercial program called .NET Reactor, and the internal code is obfuscated. When running, all files are encrypted and an argument called -alerta is added along with the ransomware's executable file to the execution registration in the registry of the startup program. When running with the corresponding argument value during actual internal testing, the encryption process is skipped and its own note GUI is created. Prints . While the note is active, close Task Manager periodically.

  
  [Figure 3 When decompiling the .NET project, the internal contents are obfuscated]

  
  [Figure 4 -alerta parameter entered along with ransomware in the startup program registry]

Infection results

The information file is <KageNoHitobito_ReadMe.txt> created on the desktop, and the ransomware itself additionally displays the note UI after it is fully deactivated. Encrypted files are changed to <file name.extension.hitobiyo>.

[Figure 5 Infection results]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

[Figure 6 Block message]

Watch Hitobito blocking video