Cisco Talos researchers have identified Kraken, a Russian-speaking ransomware group that emerged in early 2025 from the HelloKitty cartel, conducting big-game-hunting and double-extortion attacks. The group now targets enterprise environments with cross-platform encryptors for Windows, Linux, and VMware ESXi systems. Attacks observed in August 2025 exploited SMB vulnerabilities for initial access.
Kraken ransomware first surfaced in early 2025 and is believed to have evolved from the HelloKitty ransomware cartel, reusing similar infrastructure, ransom note formats, and targeting methods. Cisco Talos observed attacks in August 2025 where threat actors exploited Server Message Block (SMB) vulnerabilities on internet-exposed servers to gain initial access. They then harvested administrator credentials and re-entered environments via Remote Desktop Protocol (RDP), using tools like Cloudflared for persistence and SSH Filesystem (SSHFS) for data exfiltration.
The ransomware employs RSA-4096 and ChaCha20 encryption algorithms, with command-line options for partial or full encryption of drives, SQL databases, network shares, and Hyper-V virtual machines. A key feature is its encryption benchmarking, where the malware runs performance tests on the victim machine before encryption to optimize speed and avoid detection from system instability. Encrypted files receive the .zpsc extension, and a ransom note named readme_you_ws_hacked.txt is dropped, demanding up to one million USD in Bitcoin to a specified wallet.
The Windows variant is a 32-bit executable, written in C++ with possible Golang-based obfuscation, including anti-sandbox techniques like execution delays and deletion of restore points. It disables WoW64 filesystem redirection to access protected directories and turns off Windows Backup services. Linux and ESXi variants are 64-bit ELF binaries that detect the platform using commands like esxcli and uname. On ESXi servers, Kraken terminates running virtual machines before encrypting files and uses a bash script to remove logs, history, and its own binary.
Kraken maintains ties to HelloKitty, evident in shared ransom note structures and mentions on its data leak portal. In September 2025, the group launched 'The Last Haven Board,' an underground forum for cybercriminals, supported by HelloKitty operators and WeaCorp. Victims span geographies including the United States, United Kingdom, Canada, Denmark, Panama, and Kuwait, indicating opportunistic targeting. Cisco provides detection via Snort SIDs 65479 and 65480, and ClamAV signatures Win.Ransomware.Kraken-10056931-0 and Unix.Ransomware.Kraken-10057031-0.