Kraken Ransomware Benchmarks Systems For Optimal Encryption Choice

The Kraken ransomware, which targets Windows, Linux/VMware ESXi systems, is testing machines to check how fast it can encrypt data without overloading them.

According to Cisco Talos researchers, Kraken's feature is a rare capability that uses temporary files to choose between full and partial data encryption.

The Kraken ransomware emerged at the begining of the year as a continuation of the HelloKitty operation, and engages in big-game hunting attacks with data theft for double extortion.

On the gang's data leak sites there are listed victims from the United States, the UK, Canada, Panama, Kuwait, and Denmark.

Cisco researchers note that various mentions on Kraken’s site, as well as similarities in the ransom note, indicate connections with the now defunct HelloKitty ransomware that gained prominence in 2021 and attempted a rebranding after the leak of its source code.

Apart from the ransomware operation, Kraken has also launched a new cybercrime forum named “The Last Haven Board” to facilitate supposedly secure communications and exchanges.

According to Cisco’s observations, Kraken ransomware attacks typically begin with the exploitation of SMB vulnerabilities on internet-facing assets, providing the threat actors with an initial foothold.

Next, the intruder extracts admin account credentials and uses them to re-enter the environment via Remote Desktop Protocol (RDP) and deploy the Cloudflared and SSHFS tools.

Cloudflared is used for creating a reverse tunnel from the victim host back to the attacker’s infrastructure, and SSHFS allows exfiltrating data through mounted remote filesystems.

Using persistent Cloudflared tunnels and RDP, Kraken operators navigate compromised networks and move laterally to all reachable machines to steal valuable data and lay the ground for the deployment of the ransomware binaries.

Source: BleepingComputer