Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Kraken ransomware benchmarking full-or-partial encryption

Malware Activity
First reported
Last updated
Happening score
H score 44
2 unique sources, 2 articles

Summary

Hide ▲

Kraken ransomware is a Russian-speaking operation linked to the HelloKitty cartel that has been observed in August 2025 using SMB abuse, Cloudflare persistence, and SSHFS-assisted data theft before encryption. Cisco Talos says the group targets Windows, Linux, and VMware ESXi environments, uses double extortion, and has demanded about $1 million in Bitcoin in at least one case. The latest reporting adds that Kraken uses a per-machine benchmarking step to decide how to apply encryption, helping tailor impact before the file-locking routine begins.

Related Happenings

VECT 2.0 ransomware-branded file destruction malware

Malware Activity
First: 28.04.2026 17:01 Last: 28.04.2026 17:01 Sources 1

About this happening: The **VECT 2.0** malware now behaves like a **wiper** rather than recoverable ransomware, permanently destroying large files and raising the stakes for victims. The destructive fl...

Open Happening

The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up

Threat Actor Meta
First: 21.04.2026 17:00 Last: 21.04.2026 17:00 Sources 1

About this happening: **The Gentlemen ransomware gang** is using a **legitimate vulnerable driver** to defeat enterprise defenses, weaponizing **ThrottleStop.sys** as **ThrottleBlood.sys** to kill **AV...

Open Happening

Medusa ransomware post-compromise deployment

Malware Activity
First: 07.04.2026 09:35 Last: 07.04.2026 09:35 Sources 1

About this happening: **Medusa ransomware** is being deployed rapidly after initial access, turning intrusions into fast-moving extortion events and shrinking defenders' response time. The malware acti...

Open Happening

Storm-1175 high-velocity exploit campaign

Campaign
First: 06.04.2026 19:56 Last: 06.04.2026 19:56 Sources 1

About this happening: **Storm-1175** is running a **high-velocity exploit campaign** that rapidly turns access into **Medusa ransomware** deployment, creating risk of **data exfiltration** and encrypte...

Open Happening

Akira group rapid double-extortion ransomware activity

Malware Activity
First: 02.04.2026 16:00 Last: 02.04.2026 16:00 Sources 1

About this happening: **Akira** ransomware activity now includes **AdaptixC2** abuse in active intrusions, alongside the group’s **under-one-hour** to **under-four-hours** attack cadence. A **Silent Pu...

Open Happening

Timeline

  1. 14.11.2025 00:53 3 articles · 6mo ago

    Cisco Talos analyzes Kraken ransomware's benchmarking and encryption workflow

    Technical Analysis Update

    Cisco Talos describes Kraken ransomware as targeting Windows and Linux/VMware ESXi systems with a per-machine benchmarking step that uses temporary files to decide between full or partial encryption. The operators are reported to begin intrusions by exploiting SMB vulnerabilities on internet-facing assets, then reuse stolen admin credentials through Remote Desktop Protocol (RDP), deploy Cloudflared and SSHFS, and move laterally to steal data and prepare ransomware deployment. The workflow also includes deleting shadow volumes and the Recycle Bin, stopping backup services, dropping the .zpsc extension and readme_you_ws_hacked.txt ransom note, and running bye_bye.sh to remove logs, shell history, the Kraken binary, and the script itself; Cisco also notes one observed demand of $1 million in Bitcoin and says the operation is linked to HelloKitty and associated with The Last Haven Board forum.

    Show sources
    Open in new tab