- Kraken ransomware measures system performance before deciding the extent of damage caused by encryption.
- Shadow copies, Recycle Bin, and backups are deleted before encryption begins
- Windows, Linux, and ESXi systems all face attacks based on Kraken benchmarks
The Kraken ransomware campaign introduces a benchmark step that times the encryption of a temporary file to determine how quickly it can encrypt a victim’s data.
Cisco Talos researchers discovered that the malware created a random data file, encrypted it, recorded the speed, and deleted the test file.
The result guides hackers in choosing between full encryption and a partial approach that still damages files while avoiding excessive system load that could expose their activity.
Target key business assets
In their report, the researchers explained how Kraken prepares each compromised environment by deleting shadow copies, emptying the Recycle Bin, and disabling backup services.
The Windows version includes four separate modules designed to locate and encrypt SQL databases, network shares, local drives, and Hyper-V virtual machines.
These modules confirm paths, shut down active virtual machines, and apply encryption with multiple worker threads to increase coverage.
Linux and ESXi editions terminate virtual machines to unlock their disks and apply the same logic based on benchmark tests before encrypting data on the host.
Once the encryption phase is complete, the ransomware runs a script that clears the logs, deletes the shell history, removes the binary, and eliminates evidence of the operation.
The files are given the .zpsc extension and a ransom note titled readme_you_ws_hacked.txt appears in the affected locations.
Cisco reported one case where attackers demanded $1 million in Bitcoin, and the relevant indicators of compromise are documented in a public repository.
Kraken appears to share operational characteristics with the former HelloKitty ransomware group, as both groups use identical ransom note file names and reference each other on leak sites.
The hackers behind Kraken also announced the creation of a new underground forum called The Last Haven Board, which claims to provide a secure channel for communication within the cybercrime ecosystem.
In documented cases, attackers gained initial access by exploiting vulnerable SMB services exposed to the Internet, collecting administrator credentials, and re-entering the environment using Remote Desktop.
Persistence was maintained through Cloudflare tunnels and SSHFS was used to move across the network and exfiltrate data.
The attackers then deployed the Kraken binary and used stolen credentials to spread to additional systems.
Staying safe from threats like Kraken requires taking a consistent approach to limit exposure and reduce potential damage. Organizations must therefore maintain strong ransomware protection, ensuring that backups, access controls and network segmentation are properly enforced and monitored.
Updating antivirus software helps detect malicious files before they spread, while regular malware removal tools eliminate leftover intrusions.
Limiting services accessible on the Internet, fixing vulnerabilities and applying strong authentication further reduce attackers’ opportunities.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
