Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Kraken ransomware HelloKitty-linked double-extortion campaign

Campaign
First reported
Last updated
Happening score
H score 49
2 unique sources, 2 articles

Summary

Hide ▲

Kraken ransomware is an active double-extortion campaign linked to the HelloKitty ecosystem and observed in August 2025 using SMB exploitation, Cloudflare persistence, and SSHFS-assisted data theft before encryption. The operation targets Windows, Linux, and VMware ESXi environments, uses a rare benchmarking step to tune encryption behavior, and has listed victims across the US, UK, Canada, Denmark, Panama, and Kuwait. It also appends .zpsc, drops readme_you_ws_hacked.txt, and has included a claimed $1m Bitcoin ransom demand.

Related Happenings

MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy

Campaign
First: 06.05.2026 16:02 Last: 06.05.2026 16:02 Sources 1

About this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...

Open Happening

APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations

Campaign
First: 28.04.2026 08:50 Last: 28.04.2026 08:50 Sources 1

About this happening: A **December 2025** **APT28** campaign targeted **Ukraine** and **E.U. nations** with a **malicious Windows Shortcut (LNK)** chain that bypassed **Microsoft Defender SmartScreen**...

Open Happening

The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up

Threat Actor Meta
First: 21.04.2026 17:00 Last: 21.04.2026 17:00 Sources 1

About this happening: **The Gentlemen ransomware gang** is using a **legitimate vulnerable driver** to defeat enterprise defenses, weaponizing **ThrottleStop.sys** as **ThrottleBlood.sys** to kill **AV...

Open Happening

Storm-1175 high-velocity exploit campaign

Campaign
First: 06.04.2026 19:56 Last: 06.04.2026 19:56 Sources 1

About this happening: **Storm-1175** is running a **high-velocity exploit campaign** that rapidly turns access into **Medusa ransomware** deployment, creating risk of **data exfiltration** and encrypte...

Open Happening

Akira group rapid double-extortion ransomware activity

Malware Activity
First: 02.04.2026 16:00 Last: 02.04.2026 16:00 Sources 1

About this happening: **Akira** ransomware activity now includes **AdaptixC2** abuse in active intrusions, alongside the group’s **under-one-hour** to **under-four-hours** attack cadence. A **Silent Pu...

Open Happening

Timeline

  1. 14.11.2025 00:53 3 articles · 6mo ago

    Kraken ransomware campaign technical analysis

    Technical Analysis Update

    Kraken ransomware is targeting Windows, Linux, and VMware ESXi systems in a HelloKitty-linked double-extortion campaign that uses SMB exploitation on internet-facing assets, credential theft, RDP re-entry, Cloudflared reverse tunneling, and SSHFS-based exfiltration. Cisco Talos describes a rare benchmarking step that creates temporary files to decide between full or partial encryption, after which Kraken deletes shadow volumes, empties the Recycle Bin, stops backup services, appends the .zpsc extension, and drops readme_you_ws_hacked.txt on impacted directories; one observed case included a $1 million demand in Bitcoin, and gang leak sites list victims in the United States, the UK, Canada, Panama, Kuwait, and Denmark.

    Show sources
    Open in new tab