- Kraken ransomware measures system performance before deciding the extent of encryption damage
- Shadow copies, recycle bin, and backups are deleted before encryption starts
- Windows, Linux, and ESXi Systems Face Kraken Benchmark-Based Attacks
The Kraken ransomware campaign introduces a benchmark step that times the encryption of a temporary file to determine how quickly it can encrypt a victim’s data.
Cisco Talos researchers discovered that the malware creates a random data file, encrypts it, records the speed, and deletes the test file.
The result guides hackers to choose between full encryption and a partial approach that still damages files while avoiding excessive system load that could expose their activity.
Target key business assets
In their report, the researchers described how Kraken prepares each compromised environment by deleting snapshots, cleaning the Recycle Bin, and disabling backup services.
The Windows version includes four separate modules designed to locate and encrypt SQL databases, network shares, local drives, and Hyper-V virtual machines.
These modules confirm routes, stop active virtual machines, and apply encryption with multiple worker threads to increase coverage.
Linux and ESXi edition terminates the execution of virtual machines to unlock their disks and apply the same benchmark-based logic before encrypting data across the host.
Once the encryption phase is complete, the ransomware runs a script that clears the logs, deletes the shell history, deletes the binary, and removes evidence of the operation.
The files are given the .zpsc extension and a ransom note titled readme_you_ws_hacked.txt appears in the affected locations.
Cisco reported a case where attackers demanded $1 million in Bitcoin, and the relevant indicators of compromise are documented in a public repository.
Kraken appears to share operational traits with the former HelloKitty ransomware group, as both groups use identical ransom note file names and reference each other on leak sites.
The hackers behind Kraken also announced a new underground forum called The Last Haven Board, which aims to offer a secure channel of communication within the cybercrime ecosystem.
In documented cases, attackers gained initial access by exploiting vulnerable SMB services exposed to the Internet, harvesting administrator credentials, and reentering the environment via Remote Desktop.
Persistence was maintained through Cloudflare tunnels and SSHFS was used to move across the network and exfiltrate data.
The attackers subsequently deployed the Kraken binary and used stolen credentials to spread through additional systems.
Staying safe against threats like Kraken requires a consistent approach to limiting exposure and reducing potential damage, so organizations must maintain strong ransomware protection, ensuring backups, access controls, and network segmentation are properly enforced and monitored.
Keeping your antivirus software up-to-date helps detect malicious files before they can spread, while regular malware removal tools remove remnants of intrusions.
Limiting Internet services, patching vulnerabilities, and enforcing strong authentication further reduces opportunities for attackers.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
