05.11.2025
14 min
502
In this article, you will learn who is behind the growth of Kraken activity, what modern techniques this group uses, and why its attacks have become some of the most noticeable in 2025. The material will help you understand the key risks, what organizations should pay attention to, and why Kraken has become a new serious challenge in the field of cybersecurity.
The Kraken ransomware group, which emerged in February 2025, uses a double-extortion technique and appears to be operating opportunistically, as it has not focused on any specific business vertical. According to the Kraken leak site, victims span a variety of geographic regions, including the United States, the United Kingdom, Canada, Denmark, Panama, and Kuwait.
Like other double-extortion operators, Kraken also operates a data leak site to expose stolen data from victims who fail to comply with their ransom demands.
Kraken encrypts the victim’s environment using the .zpsc file extension for encrypted files and sending a ransom message titled “readme_you_ws_hacked.txt.” In the message, the attacker threatens victims, claiming that they have stolen and encrypted their sensitive data. They instruct the victim to contact them using an onion URL to prevent the leak from being published on their website.
In one case, the actor demanded around $1 million USD to be paid in Bitcoin to a specified wallet address. The group assures victims that upon successful payment, the environment will be decrypted and the stolen data will not be made public.
According to external reports, the Russian-speaking group Kraken, which is suspected to have emerged from the ashes of the HelloKitty ransomware cartel or was created by some of its former members, is directly referenced in the name of the HelloKitty ransomware group. Kraken and HelloKitty have also been noted to use the same ransom note file name, which could indicate a possible connection between the two groups.
In September 2025, the Kraken group announced a new underground forum called “The Last Haven Board” on its data leak blog. According to its description, the main goal of Last Haven is to create an anonymous and safe environment for communication within the cybercriminal underground. It was reported that the administrator of the Last Haven forum announced support and cooperation from the HelloKitty teams and WeaCorp, an organization that purchases exploits. This may hint at the possible involvement of HelloKitty operators in the Kraken group.
In August 2025, the response team recorded one incident where a Kraken attacker gained initial access to a victim machine by exploiting an existing vulnerability in the SMB service on Internet-facing servers. Once they had established themselves on the victim machine, they obtained valid administrator and other privileged account credentials. They then re-logged into the victim environment via Remote Desktop Connection using the stolen privileged account credentials.
After regaining access to the victim computer, the attacker established a persistent connection by installing the Cloudflared tool and setting up a reverse tunnel on the victim computer. In addition, the attacker installed an SSHFS tool on the victim computer, using it to navigate the victim environment and extract sensitive data. The attacker then deployed the Kraken ransomware binary and moved to other machines connected to the infected machine via Remote Desktop Protocol (RDP) connections, using stolen privileged user accounts to deploy the ransomware binaries. Through this persistent remote connection, the attacker executed commands to launch the ransomware on multiple systems in the victim’s environment.
Kraken ransomware is a complex ransomware family with variants targeting Windows, Linux, and ESXi systems. This ransomware offers extensive command-line options, providing operational flexibility to attackers using Kraken ransomware in their attacks. It has the ability to fully or partially encrypt target files, as well as features that allow it to encrypt specific files, including SQL databases and network resources.
To encrypt target files, Kraken ransomware uses RSA encryption algorithms with a key length of 4096 bits and ChaCha20 symmetric encryption. In addition, the ransomware has encryption testing capabilities to evaluate how quickly it can run on a victim’s computer without overloading the system, delivering maximum damage in the minimum time, and avoiding detection due to resource exhaustion.
The attacker has been observed running commands in Windows and ESXi environments to execute the encryptor. The Kraken encryptor has a set of command line arguments that can be used depending on the victim’s environment.
Encryptor[.]exe –key <32-byte key> -path <\\targeted path for encryption> -timeout -d
The Windows version of Kraken ransomware is a 32-bit executable written in C++ and possibly obfuscated using a Golang-based packager. The ransomware has features such as re-infection checking, anti-analysis, and anti-recovery, and encrypts targeted files by appending the .zpsc extension.
In the initial execution stage, Kraken processes command-line parameters and performs re-infection checks on the victim’s computer to avoid double encryption. The attacker used re-infection checks to effectively manage decryption keys.
Kraken ransomware disables WoW64 file system redirection on the victim’s computer by using the function Wow64EnableWow64FsRedirection with the argument “\0 (False)” to allow a 32-bit binary to access 64-bit files on a Windows computer.
WoW64 is a compatibility layer in the 64-bit Windows operating system that allows 32-bit programs to run smoothly. A key feature of WoW64 is file system redirection, which ensures that when a 32-bit program tries to access the “C:\Windows\System32” folder, WoW64 redirects it to “C:\Windows\SysWoW64”, allowing the 32-bit program to load the correct 32-bit version of system DLLs.
After redirection is disabled in WoW64, the Kraken ransomware modifies its process token privileges, enabling debug privileges. These privileges are required by the ransomware to access and encrypt files owned by other processes. In addition, the ransomware encrypts local drives, network shares, and SQL database files, and disables backup services on 64-bit Windows operating systems. All of these operations by the 32-bit ransomware binary will require access to the “C:\Windows\System32” folder. Disabling redirection in Wow64 will allow the 32-bit ransomware binary to access the “C:\Windows\System32” folder on 64-bit Windows operating systems.
Kraken ransomware uses anti-analysis techniques to avoid detection, complicate analysis, and prevent execution in isolated environments.
The ransomware uses extensive control flow obfuscation with multiple conditional loops throughout the code, hiding the actual control flow paths and increasing the complexity of static analysis and pattern matching for signature generation.
It also manipulates system exception handlers to prevent Windows error dialogs from appearing by executing the SetErrorMode function with a value of 0x8003, which is a bitwise OR of three Windows error mode flags:
SEM_FAILCRITICALERRORS (0x0001) – message box about missing critical error handler
SEM_NOGPFAULTERRORBOX (0x0002) – missing general protection fault block
SEM_NOOPENFILEERRORBOX (0x8000) – file open error
It uses sleep-based execution delay to avoid sandbox analysis, stops backup services, and executes a built-in command to delete all restore points on the victim machine.
vssadmin delete shadows /all /quite
It also deletes the Recycle Bin using the Windows SHEmptyRecycleBinA function.
Kraken ransomware has the ability to perform performance testing on the victim’s computer before starting the actual encryption. The ransomware can use this feature with command line options such as “-tests”, “-tempfile” and “-tempsize” to evaluate the victim’s computer’s performance and optimize the ransomware’s encryption process.
Kraken does this by first creating a temporary test file using the path and filename specified by the “-tempfile” parameter. It then fills this file with random data, writing 1MB chunks until the total size specified by the “-tempsize” parameter is reached. To time the main operation, the module records the start time using the clock_gettime function, performs the actual encryption of the test file, and then records the end time. Finally, it calculates the elapsed time and the encryption speed for the victim machine, expressed in MB/s, using the formula:
Speed = ((total bytes / elapsed time) * 1000) / 1048576.
Based on the results of the bandwidth measurement, the function checks whether the attacker should choose full or partial encryption mode with the maximum size of the file fragments to encrypt. After the performance testing process, it deletes the test file using the unlink() function.
The Kraken Windows encryptor has four encryption modules, including SQL database, network share, local disk, and Hyper-V encryption. Based on the command line flags provided by the attacker, the encryptor determines which encryption module to execute.
The SQL database encryption module encrypts Microsoft SQL Server databases. To attack database files, the module accesses the Microsoft SQL Server registry keys on the victim’s computer, specifically querying “HKLM\SOFTWARE\Microsoft\Microsoft SQL Server” and its “Instance Names\SQL” subkey to find instances of “MSSQLSERVER” and “SQLEXPRESS”. Once an instance is found, it retrieves the “SQLDataRoot” registry value to determine the path to the database files. The module then checks for the existence of these paths using the PathFileExistsWWindows API before starting to encrypt the database files.
The Network Resource Encryption module enumerates and encrypts available network resources using the Windows WNet API to detect both mapped and unmapped network locations, specifying RESOURCETYPE_DISK and RESOURCETYPE_ANY. During the enumeration, it iterates over the discovered network resources, but explicitly skips the shared ADMIN$ and IPC$ resources. For each available network resource found, the module creates dedicated encryption worker threads to handle the encryption process.
The Local Disk Encryption Module encrypts all locally attached drives by first using the GetLogicalDrives function to enumerate all available drive letters from A to Z. For each letter, it checks the drive type using the GetDriveTypeW function, selecting drives identified as DRIVE_REMOVABLE, DRIVE_FIXED, or DRIVE_REMOTE, excluding CD-ROM drives and network drives. After constructing a drive path (for example, “X:\”), it creates a dedicated encryption workflow for each drive path it checks.
The Hyper-V Virtual Machine Encryption Module attacks virtual machine files by executing a series of built-in PowerShell commands. First, it disables PowerShell restrictions on the victim machine to ensure that its commands are executed. Then, it discovers virtual machine files by enumerating all virtual machines and extracting the corresponding file paths on their hard drives. To unlock these files for encryption, the module forcibly stops all running virtual machines. After these necessary steps, it creates encryption workflows to encrypt the found virtual machine files. PowerShell commands executed by the module:
powershell -c "Set-ExecutionPolicy bypass"
powershell -c "get-vm | format-list"
powershell -c "get-vm | Get-VMHardDiskDrive | ForEach-Object {$_.Path}"
powershell -c "get-vm | stop-vm -force -turnoff"
The ransomware excludes executable (.exe) and dynamic link library (.dll) files along with the “Program Files”, “Program Files (X86)” and “ProgramData” folders from the encryption process on the victim’s computer, allowing victims to still access the system to communicate with the attacker.
The Linux or ESXi version of the Kraken ransomware is a 64-bit executable written in C++ and compiled using the crosstool-NG tool version 1.26.0.
During the initial execution phase, the Kraken ransomware executable for Linux processes command line parameters specified by the attacker.
The ransomware runs a platform detection module to determine the type of the victim’s machine by executing the commands listed below and adapting its behavior based on the detected platform.
When attacking ESXi environments, the ransomware enumerates all running virtual machines and forcibly attempts to destroy them by executing the following commands embedded in the ransomware binary:
esxcli vm process list esxcli vm process kill --type=force --world-id=
The ELF version of Kraken ransomware performs multi-threaded encryption, supporting both “solid” and “setp” encryption. It also uses an encryption performance benchmark that an attacker can use during an attack to calculate encryption speed and decide whether to use full or partial encryption. The performance benchmark algorithm is similar to the Windows version of Kraken ransomware described in the previous section.
It recursively traverses directories and encrypts a file based on the encryption mode type specified by the attacker in a command line parameter, and appends the .zpsc file extension to encrypted files.
The ELF version of the Kraken ransomware uses control flow obfuscation with a complex loop structure to prevent analysis, and runs in daemon mode, forking into a background process via the fork_as_daemon() function and continuing to execute encryption in the background. It also ignores SIGCHLD (child process termination) and SIGHUP (terminal hang) signal handlers.
The ransomware uses a multi-step self-deletion and cleanup process to erase traces of its execution, leaving minimal artifacts after the encryption operation is complete. Kraken creates a bash script “_bye_bye_.sh” in the same directory as the ransomware binary. It then compiles the script with commands to delete log files, shell history, the ransomware binary, and the script itself.
rm -f “/var/logs/*” rm -f “/.ash_history” rm -f “ransomware binary path” rm -f “delete the script _bye_bye_.sh"
It executes the script using the popen function popen(“sh \”<deletion_script_path>””,,”r”) which runs in a separate shell process and the parent process may terminate before the script completes its execution, which helps to remove itself before the execution is complete.
Kraken has become one of the most prominent examples of how rapidly the modern world of ransomware is evolving. This group operates without strict specialization, combines data theft and encryption, actively uses covert access channels, and targets not only Windows, but also Linux and ESXi. This approach allows attackers to cause large-scale damage to a wide variety of infrastructures.
