Kraken Ransomware Unleashed: Multi-Platform Threat Benchmarks Systems to Maximize Damage
Cisco Talos experts have identified an active wave of attacks involving a new strain of ransomware known as Kraken. The group behind it began operating in February 2025 and employs double-extortion tactics without confining itself to any particular sector. Victims include organisations in the United States, the United Kingdom, Canada, Denmark, Panama and Kuwait.
Kraken targets Windows, Linux and VMware ESXi, deploying dedicated builds of its encryptor for each environment. The malware appends the .zpsc extension to encrypted files and leaves a ransom note titled “readme_you_ws_hacked.txt”, threatening to publish stolen data on its leak site. In one documented incident, the attackers demanded a ransom of roughly $1 million in Bitcoin.
In one of the investigated cases, the attackers exploited an SMB vulnerability for initial access, secured persistence via the Cloudflared tunnelling tool, and used SSHFS to exfiltrate data. After elevating privileges, they moved laterally over RDP and deployed the ransomware across additional systems.
Kraken supports numerous execution parameters, including full or partial encryption, block-size selection, execution delay and performance testing. Before encrypting, it evaluates system capabilities and selects the most efficient mode—maximising damage while avoiding overload and suspicion.
The Windows variant is a 32-bit C++ application, potentially wrapped with Go-based tooling. It disables WoW64 filesystem redirection, obtains debugging privileges, stops backup-related services, deletes restore points and empties the recycle bin. Only directories needed for contacting the operators remain intact.
The ransomware simultaneously targets SQL databases, local disks, network shares and Hyper-V virtual machines, using PowerShell commands to halt VMs and locate their storage paths. It avoids system folders and executable files to preserve OS functionality.
The Linux/ESXi build is written in C++ using crosstool-NG. It begins by identifying the host environment—ESXi, Nutanix, Ubuntu or Synology—and adapts its behaviour accordingly. In ESXi environments, it terminates running virtual machines before encrypting them. The malware also incorporates anti-analysis measures: daemon mode, ignoring SIGCHLD and SIGHUP, and a post-encryption cleanup script that deletes logs, shell history and the malware binary itself.
Kraken maintains a vigorous presence on the dark web. The group has announced the launch of an underground forum, “The Last Haven Board,” described as an anonymous platform for the cybercriminal community. According to its moderators, former members of HelloKitty and the WeaCorp group—known for trading exploits—have joined the project. Talos attributes the origins of Kraken to HelloKitty, noting identical ransom-note naming conventions and shared visual elements on their blogs.
Kraken stands among the most technically sophisticated ransomware families to date: assessing system performance before execution, adapting itself to multiple platforms and employing refined methods for erasing forensic traces. Beyond its well-engineered payload, the group is expanding its ecosystem in the dark web, cultivating its own platform and attracting seasoned players within the cybercriminal underworld. Given its scale, breadth and rapid evolution, Kraken is poised to become one of the most formidable threats to corporate infrastructures in the near future.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
