Kraken ransomware HelloKitty-linked double-extortion campaign
Campaign
Summary
Hide ▲
Show ▼
Kraken ransomware is an active double-extortion campaign linked to the HelloKitty ecosystem and observed in August 2025 using SMB exploitation, Cloudflare persistence, and SSHFS-assisted data theft before encryption. The operation targets Windows, Linux, and VMware ESXi environments, uses a rare benchmarking step to tune encryption behavior, and has listed victims across the US, UK, Canada, Denmark, Panama, and Kuwait. It also appends .zpsc, drops readme_you_ws_hacked.txt, and has included a claimed $1m Bitcoin ransom demand.
Related Happenings
GodDamn ransomware PoisonX BYOVD activity
Malware Activity
H score15
First: 09.07.2026 13:43
Last: 09.07.2026 13:43
Sources 1
About this happening:
The **GodDamn** ransomware family is using the **PoisonX** kernel driver to disable endpoint defenses during attacks, increasing the risk of **credential theft**, **lateral moveme...
GodDamn ransomware PoisonX BYOVD activity
Malware ActivityAbout this happening: The **GodDamn** ransomware family is using the **PoisonX** kernel driver to disable endpoint defenses during attacks, increasing the risk of **credential theft**, **lateral moveme...
Major U.S. services company hit by ransomware attack linked to DragonForce
Incident
H score38
First: 16.06.2026 13:18
Last: 16.06.2026 13:18
Sources 1
About this happening:
A **DragonForce ransomware** incident hit a **major U.S. services firm** in **December 2025**, with attackers maintaining access for **one to two months** and hiding **command-and...
Major U.S. services company hit by ransomware attack linked to DragonForce
IncidentAbout this happening: A **DragonForce ransomware** incident hit a **major U.S. services firm** in **December 2025**, with attackers maintaining access for **one to two months** and hiding **command-and...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
Campaign
H score37
First: 06.05.2026 16:02
Last: 06.05.2026 16:02
Sources 1
About this happening:
The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
CampaignAbout this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations
Campaign
H score39
First: 28.04.2026 08:50
Last: 28.04.2026 08:50
Sources 1
About this happening:
A **December 2025** **APT28** campaign targeted **Ukraine** and **E.U. nations** with a **malicious Windows Shortcut (LNK)** chain that bypassed **Microsoft Defender SmartScreen**...
APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations
CampaignAbout this happening: A **December 2025** **APT28** campaign targeted **Ukraine** and **E.U. nations** with a **malicious Windows Shortcut (LNK)** chain that bypassed **Microsoft Defender SmartScreen**...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor Meta
H score57
First: 21.04.2026 17:00
Last: 21.04.2026 17:00
Sources 1
About this happening:
**The Gentlemen** ransomware-as-a-service operation is using an operator-maintained **EDR-killer** portfolio, led by **GentleKiller**, to disable security software before encrypti...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor MetaAbout this happening: **The Gentlemen** ransomware-as-a-service operation is using an operator-maintained **EDR-killer** portfolio, led by **GentleKiller**, to disable security software before encrypti...
Timeline
-
14.11.2025 00:53 3 articles · 7mo ago
Kraken ransomware campaign technical analysis
Technical Analysis UpdateKraken ransomware is targeting Windows, Linux, and VMware ESXi systems in a HelloKitty-linked double-extortion campaign that uses SMB exploitation on internet-facing assets, credential theft, RDP re-entry, Cloudflared reverse tunneling, and SSHFS-based exfiltration. Cisco Talos describes a rare benchmarking step that creates temporary files to decide between full or partial encryption, after which Kraken deletes shadow volumes, empties the Recycle Bin, stops backup services, appends the .zpsc extension, and drops readme_you_ws_hacked.txt on impacted directories; one observed case included a $1 million demand in Bitcoin, and gang leak sites list victims in the United States, the UK, Canada, Panama, Kuwait, and Denmark.
Show sources
- Kraken ransomware benchmarks systems for optimal encryption choice — www.bleepingcomputer.com — 14.11.2025 00:53
- Kraken ransomware benchmarks systems for optimal encryption choice — www.bleepingcomputer.com — 14.11.2025 00:53
- Kraken Uses Benchmarking to Enhance Ransomware Attacks — www.infosecurity-magazine.com — 17.11.2025 18:45