- Kraken ransomware measures system performance before deciding the scale of encryption damage
- Shadow copies, Recycle Bin, and backups are deleted before encryption starts
- Windows, Linux, and ESXi systems all face Kraken’s benchmark-driven attacks
The Kraken ransomware campaign introduces a benchmark step which times the encryption of a temporary file to determine how quickly it can encrypt a victim’s data.
Researchers from Cisco Talos found the malware creates a random data file, encrypts it, records the speed, and deletes the test file.
The result guides the hackers in choosing between full encryption and a partial approach that still damages files while avoiding excessive system load that could expose their activity.
Targeting key enterprise assets
In their report, the researchers outlined how Kraken prepares each compromised environment by deleting shadow copies, clearing the Recycle Bin, and disabling backup services.
The Windows version includes four separate modules designed to locate and encrypt SQL databases, network shares, local drives, and Hyper-V virtual machines.
These modules confirm paths, stop active virtual machines, and apply encryption with multiple worker threads to increase coverage.
The Linux and ESXi edition terminates running virtual machines to unlock their disks and apply the same benchmark-based logic before encrypting data across the host.
Once the encryption phase is complete, the ransomware executes a script that clears logs, deletes shell history, removes the binary, and eliminates evidence of the operation.
Files receive the .zpsc extension, and a ransom note titled readme_you_ws_hacked.txt appears in affected locations.
Cisco reported a case where the attackers demanded $1 million in Bitcoin, and relevant indicators of compromise are documented in a public repository.
Kraken appears to share operational traits with the former HelloKitty ransomware group, as both groups use identical ransom note filenames and reference each other on leak sites.
The hackers behind Kraken also announced a new underground forum called The Last Haven Board, which claims to offer a secure channel for communication within the cybercrime ecosystem.
In documented cases, attackers gained initial access by exploiting vulnerable SMB services exposed to the internet, harvesting administrator credentials and re-entered the environment using Remote Desktop.
Persistence was maintained through Cloudflare tunnels, and SSHFS was used to move through the network and exfiltrate data.
The attackers deployed the Kraken binary afterward and used stolen credentials to propagate across additional systems.
Staying safe against threats like Kraken requires a consistent approach to limit exposure and reduce potential damage, so organizations should maintain strong ransomware protection, ensuring backups, access controls, and network segmentation are properly applied and monitored.
Keeping antivirus software updated helps detect malicious files before they can spread, while regular malware removal tools clear remnants of intrusions.
Limiting internet-facing services, patching vulnerabilities, and enforcing strong authentication further reduce attackers’ opportunities.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
