A series of big-game hunting incidents and double extortion attacks carried out by Kraken, a Russian-speaking operation that has emerged from the ashes of the HelloKitty cartel, was observed in August 2025 by Cisco Talos and detailed in an advisory published last week.
The group has been linked to intrusions where Server Message Block (SMB) flaws were abused for entry, followed by the use of Cloudflare for persistence and SSH Filesystem (SSHFS) for data theft before encryption.
Kraken’s toolkit spans Windows, Linux and VMware ESXi, giving it reach across many enterprise environments.
A New Ransomware Strain
What’s new is Kraken’s unusual benchmarking step, which measures how quickly a victim machine can process encryption before the malware initiates its file-locking routine. This allows the attackers to tailor the encryption method for maximum impact while reducing the chance of triggering system instability or detection.
The group also announced a new underground discussion space, The Last Haven Board, on its leak site, in an effort to create a secure hub for cybercrime collaboration.
Kraken, active since February 2025, relies on double extortion and appears opportunistic rather than focused on specific sectors.
Victims listed on its site include organizations in the US, the UK, Canada, Denmark, Panama and Kuwait.
It applies the .zpsc extension, issues a ransom note titled readme_you_ws_hacked.txt and threatens to publish stolen files if contacted through its onion service.
Read more on ransomware leak sites: Leak Site Ransomware Victims Spike 13% in a Year
External reporting and Talos observations indicate possible overlap with the HelloKitty threat group. Kraken’s leak portal references HelloKitty by name, and both groups use the same ransom note filename.
The launch of Last Haven included claimed support from HelloKitty operators and WeaCorp, an exploit-buying outfit, adding weight to the theory that Kraken spun out from the earlier cartel.
Kraken Attack Tactics
Talos documented one case in which Kraken actors broke in through an exposed SMB service, extracted privileged credentials, then returned via Remote Desktop.
Afterward, they installed Cloudflare to maintain access, deployed SSHFS to browse and siphon data, and pushed the encryptor across the network via Remote Desktop Protocol (RDP). They demanded roughly $1m in Bitcoin and pledged decryption and non-disclosure after payment.
Key elements of Kraken’s tactics include:
-
Cross-platform encryptors
-
Benchmark-based encryption decisions
-
Multi-threaded modules targeting SQL databases, network shares, local drives and virtual machines
Talos attributed this activity to an increasingly organized group attempting to claim the space left vacant by the collapse of the HelloKitty cartel.
To defend against threats such as this, organizations should strengthen credential hygiene, limit exposure of remote services, harden backup strategies and adopt continuous monitoring to spot abnormal tunneling or data access activity early.
