Kraken Ransomware Scans Systems for Fastest Encryption
▼ Summary
– Kraken ransomware tests machine performance to optimize encryption speed without overloading systems, using temporary files to decide between full or partial encryption.
– It emerged as a continuation of the HelloKitty ransomware operation, engaging in big-game hunting attacks with data theft for double extortion across multiple countries.
– Attacks begin by exploiting SMB vulnerabilities, then use stolen credentials and tools like Cloudflared and SSHFS for network access, lateral movement, and data exfiltration.
– Before encryption, Kraken deletes shadow volumes and stops backup services, then uses performance benchmarks to determine encryption mode and targets various systems including SQL databases and Hyper-V VMs.
– After encryption, files are renamed with a ‘.zpsc’ extension, ransom notes are dropped, and in one case a $1 million Bitcoin ransom was demanded, with IoCs available on GitHub.
A sophisticated ransomware strain known as Kraken is actively targeting Windows and Linux/VMware ESXi systems, deploying a unique feature that gauges a machine’s performance to determine the most effective encryption method. This approach allows the malware to inflict maximum damage by encrypting data at high speed without overloading system resources and raising alarms. Cisco Talos researchers have identified this performance-testing capability as a rare tactic, where the ransomware uses temporary files to decide between full or partial encryption of the victim’s data.
Emerging earlier this year, Kraken represents an evolution of the HelloKitty ransomware operation. It engages in what security experts call “big-game hunting,” focusing on high-value targets and employing double extortion tactics. This involves not only locking files but also stealing sensitive data to pressure victims into paying. The gang’s data leak sites list organizations from the United States, the United Kingdom, Canada, Panama, Kuwait, and Denmark as victims.
Connections to the now-defunct HelloKitty ransomware are evident through similarities in ransom notes and various mentions on Kraken’s platforms. HelloKitty gained notoriety in 2021 and attempted a rebrand after its source code was leaked. Beyond its ransomware activities, the group has launched a new cybercrime forum called “The Last Haven Board,” which is advertised as a secure space for communication and exchanges among threat actors.
The typical Kraken attack begins with the exploitation of SMB vulnerabilities on internet-facing systems. This provides the initial access point for the attackers. Once inside, they extract administrative account credentials and use them to re-enter the network via Remote Desktop Protocol (RDP). They then deploy tools like Cloudflared and SSHFS. Cloudflared establishes a reverse tunnel from the compromised host back to the attackers’ command-and-control infrastructure, while SSHFS is used to mount remote filesystems for data exfiltration.
Using these persistent tunnels and RDP access, the attackers move laterally across the network. They systematically access all reachable machines to steal valuable data and prepare for the final deployment of the ransomware payload.
When the command to encrypt is given, Kraken executes a performance benchmark on each individual machine. This process involves creating a temporary file filled with random data, encrypting it within a timed operation, calculating the speed of the encryption, and then deleting the file. Based on the results, the ransomware decides whether to encrypt the data completely or only partially. This strategic assessment helps the attack proceed swiftly during its final stage, causing extensive damage without triggering performance-based security alerts that intensive resource usage might otherwise cause.
Prior to initiating the encryption process, Kraken takes several preparatory steps to hinder recovery. It deletes Volume Shadow Copies and empties the Recycle Bin. It also systematically stops any backup services running on the compromised system.
The Windows version of the ransomware relies on four dedicated encryption modules. One of them targets SQL databases. It scans the system for Microsoft SQL Server instances by inspecting specific registry keys, locates the directories where database files are stored, verifies the paths, and encrypts the data.
The Linux and ESXi variant mirrors this damage in its own way. It identifies all active virtual machines, forcibly shuts them down to release any locked disk files, and launches multi-threaded encryption. The same benchmarking logic used in the Windows strain determines whether the process encrypts entire files or only selected portions.
Once the job is done, an auto-generated script called bye_bye.sh runs automatically. Its purpose is simple: erase the tracks. It deletes system logs, command history, the Kraken binary, and even the script itself.
Encrypted files are assigned the .zpsc extension, and a ransom note named readmeyouws_hacked.txt appears in every affected directory. In one confirmed incident, the attackers demanded $1 million in Bitcoin.
A full list of indicators of compromise linked to Kraken campaigns is available in a public GitHub repository for security teams monitoring this threat.
(Source: Bleeping Computer)
