Redazione RHC : 15 November 2025 13:05
Cisco Talos researchers have detected an active wave of attacks using a new ransomware called Kraken. The group began operating in February 2025 and uses double-extortion methods, without targeting specific industries. Victims include companies in the United States, the United Kingdom, Canada, Denmark, Panama, and Kuwait.
Kraken infects Windows, Linux, and VMware ESXi systems, distributing separate versions of the ransomware for each system. The program uses the . zpsc extension and leaves a note, ” readme_you_ws_hacked.txt ,” threatening to publish the data on its leak site. In one instance, the attackers demanded a ransom of approximately $1 million in Bitcoin.
In one attack, attackers exploited an SMB vulnerability to gain initial access, then gained a foothold in the system using Cloudflare’s tunneling tool and used the SSHFS utility to steal data. After gaining privileges, they moved across the network via RDP and deployed ransomware to other machines.
Kraken operates with a variety of parameters, including full or partial encryption , block size selection, execution delay, and performance testing . Before encryption, the program evaluates the system’s performance and selects the most efficient mode , helping to inflict maximum damage without causing overload or suspicion.
On Windows, Kraken is implemented as a 32-bit C++ application, possibly packaged in Go . It disables WoW64 filesystem redirects, gains debugging privileges, stops backup services, deletes restore points, and empties the Recycle Bin. Only directories that allow the victim to contact the operator remain accessible.
The ransomware simultaneously attacks SQL databases, local drives, network shares, and Hyper-V virtual machines, using PowerShell commands to shut down the VMs and obtain the paths to their storage . It avoids system folders and executable files to preserve operating system functionality.
The Linux/ESXi version is written in C++ and uses crosstool-NG . The program first detects the system type, adapting its behavior to ESXi, Nutanix, Ubuntu, or Synology . In ESXi environments, it shuts down virtual machines before encryption. It also uses bypass analysis mechanisms: daemon mode, ignoring the SIGCHLD and SIGHUP signals, and, after encryption, runs a cleanup script that deletes logs, shell history, and the binary itself.
Kraken is active on the dark web. On its website, the group announced the creation of an underground forum , ” The Last Haven Board ,” which aims to provide an anonymous platform for the cybercriminal community. According to moderators, former members of HelloKitty and the exploit-buying group WeaCorp have joined the project. According to Talos, HelloKitty served as the inspiration for Kraken: both groups use identical names for ransom notes and blog images.
Kraken is one of the most technologically advanced ransomware programs available today, capable of evaluating system performance before attacking, adapting to different platforms, and employing sophisticated obfuscation techniques. In addition to its sophisticated ransomware architecture, the group is active on the dark web, promoting its platform and receiving support from notorious cybercriminals. Given its scale and speed of development, Kraken could become a major threat to corporate infrastructure in the near future .
Redazione