- Kraken ransomware measures system performance before deciding the extent of encryption damage
- Shadow copies, recycle bin and backup copies are deleted before encryption starts
- Windows, Linux, and ESXi systems all face Kraken’s benchmark-driven attacks
The Kraken ransomware campaign introduces a benchmark step that times the encryption of a temporary file to determine how quickly it can encrypt a victim’s data.
Cisco Talos researchers found that the malware creates a random data file, encrypts it, records the speed, and deletes the test file.
The result guides the hackers in choosing between full encryption and a partial approach that still damages files while avoiding excessive system load that could reveal their activity.
Targeting key business assets
In their report, the researchers outlined how Kraken prepares each compromised environment by deleting shadow copies, emptying the Recycle Bin and disabling backup services.
The Windows version includes four separate modules designed to locate and encrypt SQL databases, network shares, local drives, and Hyper-V virtual machines.
These modules verify paths, stop active virtual machines, and apply multi-threaded encryption to increase coverage.
The Linux and ESXi editions end running virtual machines to unlock their disks and apply the same benchmark-based logic before encrypting data across the host.
Once the encryption phase is complete, the ransomware executes a script that clears logs, deletes shell history, removes the binary, and eliminates evidence of the operation.
Files receive the .zpsc extension and a ransom note titled readme_you_ws_hacked.txt appears on the affected sites.
Cisco reported a case where the attackers demanded $1 million in Bitcoin, and relevant indicators of compromise are documented in a public repository.
Kraken appears to share operational traits with the earlier HelloKitty ransomware group, as both groups use identical ransom note file names and refer to each other on leak sites.
The hackers behind Kraken also announced a new underground forum called The Last Haven Board, which claims to offer a secure channel for communication within the cybercrime ecosystem.
In documented cases, attackers gained initial access by exploiting vulnerable SMB services exposed to the Internet, harvesting administrator credentials and re-entering the environment using Remote Desktop.
Persistence was maintained through Cloudflare tunnels and SSHFS was used to move through the network and exfiltrate data.
The attackers deployed the Kraken binary afterwards and used stolen credentials to spread across additional systems.
Staying safe from threats like Kraken requires a consistent approach to limiting exposure and reducing potential damage, so organizations should maintain strong ransomware protection, ensure backups, access controls and network segmentation are properly applied and monitored.
Keeping antivirus software up-to-date helps detect malicious files before they can spread, while common malware removal tools remove remnants of intrusions.
Restricting Internet-facing services, patching vulnerabilities, and enforcing strong authentication further reduce attackers’ options.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
