Kraken

Kraken is a ransomware operation and ransomware-as-a-service (RaaS) threat that emerged in 2025 and is linked to remnants of the HelloKitty ransomware cartel; Cisco Talos described it as a Russian-speaking group and a descendant/continuation of HelloKitty. It conducts big-game hunting and double-extortion attacks, stealing data before encryption and using leak-site pressure. Kraken targets Windows, Linux, and VMware ESXi environments with distinct platform-specific encryptors. Talos reported that the malware benchmarks each victim machine before encryption to determine whether to use full or partial encryption without overloading the system. Observed intrusion activity includes exploitation of SMB vulnerabilities for initial access, theft of administrative credentials, re-entry via RDP, and use of Cloudflared reverse tunnels and SSHFS for lateral movement and data exfiltration. Before encryption, Kraken deletes shadow volumes, clears the Recycle Bin, and stops backup services. The Windows variant includes modules to encrypt Microsoft SQL Server data files, local drives, reachable network shares, and Hyper-V virtual disk files. The Linux/ESXi variant enumerates and forcibly terminates virtual machines to unlock disk files for encryption. After execution, a cleanup script named bye_bye.sh removes logs, shell history, the ransomware binary, and the script itself. Reported file artifacts include the .zpsc extension on encrypted files and a ransom note named readme_you_ws_hacked.txt. Cisco Talos observed at least one case with a $1 million ransom demand in Bitcoin. Kraken has also been associated with a cybercrime forum called “The Last Haven Board.” Victims listed on its leak sites were reported in the United States, United Kingdom, Canada, Panama, Kuwait, and Denmark.