The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Kraken Ransomware

Nov 21, 2025 1:56:50 PM / by The Hivemind

KRAKEN2026Verticals Targeted: None specified
Regions Targeted: United States, United Kingdom, Canada, Denmark, Panama, Kuwait
Related Families: HelloKitty

Executive Summary

Kraken is a ransomware operation that appears to have evolved from the defunct HelloKitty cartel. Active since February 2025, Kraken conducts opportunistic double-extortion attacks using cross-platform encryptors and sophisticated post-exploitation tooling. 

Key Takeaways

  • Kraken maintains distinct 32/64-bit encryptors for Windows, Linux, and VMware ESXi, written in C++ with extensive command-line configurability.  
  • Observed initial access via internet-exposed SMB service vulnerabilities, followed by credential theft, RDP re-entry, Cloudflared reverse tunnels for persistence, and SSHFS for exfiltration.  
  • Unique pre-encryption benchmarking measures victim system performance to optimize speed and select full versus partial encryption modes. 
  • Encryption relies on RSA-4096 public keys with ChaCha20 stream cipher, and encrypted files are appended with the .zpsc extension. 

What is Kraken Ransomware?

In mid-2025 Cisco Talos responded to multiple Kraken intrusions that highlight the group’s technical maturity and operational continuity with the former HelloKitty operation. The threat actors, believed to include former HelloKitty members, have built a highly flexible ransomware payload that functions reliably across Windows, Linux, and ESXi environments, an increasingly common requirement for big-game hunting crews.

Initial access in observed cases leveraged unpatched SMB services exposed to the public internet. Once inside, attackers harvested privileged credentials, re-entered via RDP, and established durable remote access by deploying Cloudflared to create reverse tunnels. Data exfiltration occurred over mounted SSHFS filesystems, allowing quiet staging before encryption commenced.

Kraken’s encryptors stand out for their rich command-line interface and performance-aware design. Prior to locking files, the malware can execute a benchmarking routine  that writes and encrypts a temporary multi-megabyte file, measures throughput in MB/s, and automatically adjusts encryption parameters to avoid system overload while maximizing impact. This adaptive behavior is uncommon among commodity ransomware families.

The Windows variant is a 32-bit C++ binary, often protected by a Golang-based packer. It disables WoW64 filesystem redirection to reach 64-bit system directories, elevates process token privileges for SeDebugPrivilege, and performs anti-analysis tricks including heavy control-flow obfuscation, manipulated exception handlers, timed sleeps, shadow copy deletion, and recycle bin clearing. Separate worker threads handle local drives, accessible network shares, Microsoft SQL databases, and Hyper-V VMs.

The Linux/ESXi build is a 64-bit ELF compiled with crosstool-NG. It detects the underlying platform, and on ESXi hosts, terminates running VMs before encryption. Multi-threaded ChaCha20 encryption supports both full-file and block-based partial modes. Post-encryption, a self-delete script wipes logs, history, and the binary itself.

Kraken continues the double-extortion model, demanding ransom for unlocking files and for not leaking stolen information. In September 2025 the group launched “The Last Haven Board,” an underground forum explicitly backed by remaining HelloKitty personnel and the WeaCorp exploit brokerage.

IOCs

PolySwarm has multiple samples of Kraken.

 

abba10d2808639724e8c6b3c22d565cb338dc17d680a4f1591d0408b9edf78d8

32ead9cd1f4925c8f10b9c04d0aa8b874277495104d9b8adfe7bb42583e51218

7b512cb2fcd112510f3670005fefbf3d8bc189256af09cbf1518d1d09870c784

97ddedfd7e8f7c19de5327770722a81b5c6be00d2a831c508cc817c93ff466db

e83bc2ec7975885424668171c2e106f7982bd409e01ce6281fb0e6e722e98810


Click here to view all samples of Kraken in our PolySwarm portal.

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Cross-Platform Ransomware, double extortion, HelloKitty successor, Cloudflared persistence, Kraken ransomware, ESXi ransomware, ChaCha20 encryption, SMB exploitation

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More