Kraken ransomware benchmarking full-or-partial encryption
Malware Activity
Summary
Hide ▲
Show ▼
Kraken ransomware is a Russian-speaking operation linked to the HelloKitty cartel that has been observed in August 2025 using SMB abuse, Cloudflare persistence, and SSHFS-assisted data theft before encryption. Cisco Talos says the group targets Windows, Linux, and VMware ESXi environments, uses double extortion, and has demanded about $1 million in Bitcoin in at least one case. The latest reporting adds that Kraken uses a per-machine benchmarking step to decide how to apply encryption, helping tailor impact before the file-locking routine begins.
Related Happenings
GodDamn ransomware PoisonX BYOVD activity
Malware Activity
H score15
First: 09.07.2026 13:43
Last: 09.07.2026 13:43
Sources 1
About this happening:
The **GodDamn** ransomware family is using the **PoisonX** kernel driver to disable endpoint defenses during attacks, increasing the risk of **credential theft**, **lateral moveme...
GodDamn ransomware PoisonX BYOVD activity
Malware ActivityAbout this happening: The **GodDamn** ransomware family is using the **PoisonX** kernel driver to disable endpoint defenses during attacks, increasing the risk of **credential theft**, **lateral moveme...
Amadey and StealC shared-infrastructure malware activity
Malware Activity
H score66
First: 24.06.2026 18:02
Last: 24.06.2026 18:02
Sources 1
About this happening:
The **Amadey** loader and **StealC** infostealer are being linked through shared **C&C infrastructure**, making the pair easier to coordinate and disrupt. **Amadey** helps attacke...
Amadey and StealC shared-infrastructure malware activity
Malware ActivityAbout this happening: The **Amadey** loader and **StealC** infostealer are being linked through shared **C&C infrastructure**, making the pair easier to coordinate and disrupt. **Amadey** helps attacke...
Gentlemen ransomware EDR-killer tooling
Malware Activity
H score35
First: 19.06.2026 01:31
Last: 19.06.2026 01:31
Sources 1
About this happening:
**Gentlemen ransomware-as-a-service (RaaS)** is actively maintaining a suite of **EDR killers** led by **GentleKiller** to disable endpoint defenses before encryption. ESET says t...
Gentlemen ransomware EDR-killer tooling
Malware ActivityAbout this happening: **Gentlemen ransomware-as-a-service (RaaS)** is actively maintaining a suite of **EDR killers** led by **GentleKiller** to disable endpoint defenses before encryption. ESET says t...
Windows cryptocurrency clipper campaign targeting users via USB LNK worms
Campaign
H score32
First: 18.06.2026 17:30
Last: 18.06.2026 17:30
Sources 1
About this happening:
A **Windows cryptocurrency clipper campaign** is actively targeting users since **February 2026**, putting clipboard data, wallet addresses, and seed phrases at risk. The operatio...
Windows cryptocurrency clipper campaign targeting users via USB LNK worms
CampaignAbout this happening: A **Windows cryptocurrency clipper campaign** is actively targeting users since **February 2026**, putting clipboard data, wallet addresses, and seed phrases at risk. The operatio...
Major U.S. services company hit by ransomware attack linked to DragonForce
Incident
H score38
First: 16.06.2026 13:18
Last: 16.06.2026 13:18
Sources 1
About this happening:
A **DragonForce ransomware** incident hit a **major U.S. services firm** in **December 2025**, with attackers maintaining access for **one to two months** and hiding **command-and...
Major U.S. services company hit by ransomware attack linked to DragonForce
IncidentAbout this happening: A **DragonForce ransomware** incident hit a **major U.S. services firm** in **December 2025**, with attackers maintaining access for **one to two months** and hiding **command-and...
Timeline
-
14.11.2025 00:53 3 articles · 7mo ago
Cisco Talos analyzes Kraken ransomware's benchmarking and encryption workflow
Technical Analysis UpdateCisco Talos describes Kraken ransomware as targeting Windows and Linux/VMware ESXi systems with a per-machine benchmarking step that uses temporary files to decide between full or partial encryption. The operators are reported to begin intrusions by exploiting SMB vulnerabilities on internet-facing assets, then reuse stolen admin credentials through Remote Desktop Protocol (RDP), deploy Cloudflared and SSHFS, and move laterally to steal data and prepare ransomware deployment. The workflow also includes deleting shadow volumes and the Recycle Bin, stopping backup services, dropping the .zpsc extension and readme_you_ws_hacked.txt ransom note, and running bye_bye.sh to remove logs, shell history, the Kraken binary, and the script itself; Cisco also notes one observed demand of $1 million in Bitcoin and says the operation is linked to HelloKitty and associated with The Last Haven Board forum.
Show sources
- Kraken ransomware benchmarks systems for optimal encryption choice — www.bleepingcomputer.com — 14.11.2025 00:53
- Kraken ransomware benchmarks systems for optimal encryption choice — www.bleepingcomputer.com — 14.11.2025 00:53
- Kraken Uses Benchmarking to Enhance Ransomware Attacks — www.infosecurity-magazine.com — 17.11.2025 18:45