Kraken Ransomware Evolves With Advanced Benchmarking

In August 2025, cybersecurity researchers at Cisco Talos identified a surge in sophisticated cyberattacks attributed to the Kraken ransomware group, a Russian-speaking operation that appears to have emerged following the dissolution of the HelloKitty cartel. This group has been linked to a series of high-profile intrusions using a combination of Server Message Block (SMB) vulnerabilities for initial access, Cloudflare services for maintaining persistence, and SSH Filesystem (SSHFS) tools for large-scale data exfiltration prior to deploying file-encrypting malware.

Kraken’s malicious software is notably cross-platform, capable of targeting Windows, Linux, and VMware ESXi systems, which grants it a dangerous level of flexibility across diverse corporate infrastructures. A particularly novel feature of this ransomware is its advanced benchmarking process. Before activating its encryption routine, the malware conducts a performance test on the victim’s machine. This allows the attackers to select the most efficient encryption method, maximizing the speed of the attack while minimizing the risk of system crashes or detection by security software.

In a parallel development aimed at fostering criminal collaboration, the group announced the creation of a new underground forum called “The Last Haven Board” on its data leak site. This platform is intended to serve as a secure hub for cybercriminals to communicate and coordinate. Active since February 2025, Kraken employs a double extortion model, encrypting files while simultaneously threatening to publish stolen data. Their targeting appears opportunistic rather than focused on any specific industry sector.

Victim organizations listed on Kraken’s leak site span several countries, including the United States, the United Kingdom, Canada, Denmark, Panama, and Kuwait. The ransomware appends the .zpsc file extension to encrypted files and drops a ransom note titled “readmeyouws_hacked.txt.” The note directs victims to contact the group via a Tor-based onion service and threatens to release stolen information if payment demands are not met.

External analysis and Talos’s own observations suggest a probable connection to the older HelloKitty threat group. Kraken’s data leak portal explicitly references HelloKitty, and both groups use an identical filename for their ransom notes. The launch of The Last Haven Board was reportedly backed by former HelloKitty operators and WeaCorp, an entity known for purchasing software exploits, lending further credence to the theory that Kraken is a successor organization.

A detailed case study from Talos outlines a typical Kraken attack chain. Intruders first gained entry by exploiting an exposed SMB service, harvested privileged system credentials, and then returned using a Remote Desktop connection. To ensure continued access, they installed Cloudflare software, used SSHFS to locate and exfiltrate sensitive data, and finally deployed the ransomware across the network via the Remote Desktop Protocol (RDP). In this instance, the attackers demanded a ransom of approximately one million dollars in Bitcoin, promising a decryption key and confidentiality upon payment.

Key elements of Kraken’s tactics include the use of cross-platform encryptors, the implementation of a benchmarking system to optimize encryption, and multi-threaded modules designed to aggressively target SQL databases, network shares, local storage, and virtual machines. Talos assesses that this activity is the work of a highly organized criminal group seeking to fill the void left by the disbanded HelloKitty cartel.

To defend against such evolving threats, organizations are advised to strengthen credential management policies, reduce the public exposure of remote access services, implement robust and isolated backup solutions, and deploy continuous monitoring systems capable of detecting unusual network tunneling or unauthorized data access at an early stage.

(Source: InfoSecurity Magazine)