The Kraken ransomware campaign executed a sophisticated attack by first benchmarking system performance to optimize encryption speed and damage. Before encryption, it deleted shadow copies, cleared the Recycle Bin, and disabled backup services across Windows, Linux, and ESXi systems to prevent recovery. The malware targeted critical enterprise assets, including SQL databases, network shares, local drives, and Hyper-V/ESXi virtual machines, halting active VMs to unlock disks for encryption. Post-encryption, it wiped logs, shell history, and the binary itself, leaving files with a **.zpsc** extension and a ransom note (**readme_you_ws_hacked.txt**) demanding **$1 million in Bitcoin**. Attackers gained initial access via exposed **vulnerable SMB services**, harvested admin credentials, and re-entered using **Remote Desktop**. Persistence was maintained through **Cloudflare tunnels**, while **SSHFS** enabled lateral movement and data exfiltration. The attack disrupted operations by encrypting core systems, crippling virtualized environments, and potentially exposing sensitive data. The group, linked to the defunct **HelloKitty ransomware**, also launched an underground forum (**The Last Haven Board**) to coordinate cybercriminal activities. The incident highlights severe operational and financial risks, with potential long-term reputational damage and regulatory scrutiny due to compromised credentials, disabled backups, and encrypted critical infrastructure.
SITE Intelligence Group cybersecurity rating report: https://www.rankiteo.com/company/site-intelligence-group
"id": "SIT4562145111925",
"linkid": "site-intelligence-group",
"type": "Ransomware",
"date": "11/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'type': ['enterprise organizations',
'businesses with exposed SMB services']}],
'attack_vector': ['exploiting vulnerable SMB services',
'harvesting administrator credentials',
'Remote Desktop (RDP) re-entry',
'Cloudflare tunnels for persistence',
'SSHFS for lateral movement'],
'data_breach': {'data_encryption': True,
'data_exfiltration': True,
'type_of_data_compromised': ['enterprise data',
'SQL databases',
'virtual machine disks',
'network shares',
'local files']},
'description': 'The Kraken ransomware campaign introduces a benchmark step '
'that measures system performance to determine the scale of '
'encryption. It deletes shadow copies, Recycle Bin, and '
'backups before encrypting files across Windows, Linux, and '
'ESXi systems. The malware uses stolen credentials and '
'exploits vulnerable SMB services for initial access, '
'maintaining persistence via Cloudflare tunnels and SSHFS. '
'Ransom demands have reached $1 million in Bitcoin, with '
'operational ties to the former HelloKitty ransomware group.',
'impact': {'brand_reputation_impact': True,
'data_compromised': True,
'downtime': True,
'operational_impact': ['file encryption (.zpsc extension)',
'deletion of shadow copies/backups',
'termination of virtual machines',
'log clearing',
'evidence elimination'],
'systems_affected': ['Windows systems',
'Linux systems',
'ESXi systems',
'SQL databases',
'network shares',
'local drives',
'Hyper-V virtual machines']},
'initial_access_broker': {'backdoors_established': ['Cloudflare tunnels',
'SSHFS for lateral '
'movement'],
'entry_point': ['vulnerable SMB services',
'stolen administrator credentials'],
'high_value_targets': ['SQL databases',
'virtual machines (Hyper-V, '
'ESXi)',
'network shares']},
'investigation_status': 'Ongoing (public IoCs documented by Cisco Talos)',
'lessons_learned': ['Limit exposure of internet-facing services (e.g., SMB).',
'Enforce strong authentication and access controls.',
'Maintain updated backups and test restoration processes.',
'Monitor for unusual activity (e.g., benchmarking tests, '
'credential harvesting).',
'Segment networks to limit lateral movement.',
'Patch vulnerabilities promptly to prevent exploitation.'],
'motivation': ['financial gain', 'disruption', 'data theft'],
'post_incident_analysis': {'corrective_actions': ['Isolate and patch exposed '
'services.',
'Implement credential '
'hygiene and MFA.',
'Deploy behavioral-based '
'detection for ransomware '
'activities.',
'Enhance logging and '
'monitoring for unusual '
'processes (e.g., test file '
'encryption).',
'Secure backups with '
'immutability and '
'air-gapping.'],
'root_causes': ['Exposed SMB services with weak '
'credentials.',
'Lack of network segmentation '
'allowing lateral movement.',
'Insufficient monitoring for '
'benchmarking or pre-encryption '
'activities.',
'Inadequate backup protection '
'(shadow copies/Recycle Bin '
'deleted).']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransom_demanded': '$1 million (in Bitcoin)',
'ransomware_strain': 'Kraken'},
'recommendations': ['Deploy strong ransomware protection (e.g., behavioral '
'detection, endpoint security).',
'Ensure backups are immutable and offline.',
'Implement network segmentation to isolate critical '
'systems.',
'Use multi-factor authentication (MFA) for remote access.',
'Regularly audit and rotate credentials.',
'Monitor for indicators of compromise (IoCs) associated '
'with Kraken.',
'Restrict internet-facing services like RDP and SMB.',
'Update antivirus/anti-malware solutions and conduct '
'regular scans.'],
'references': [{'source': 'Cisco Talos Research'},
{'source': 'TechRadar Pro',
'url': 'https://www.techradar.com'}],
'response': {'remediation_measures': ['log clearing',
'binary deletion',
'evidence elimination (by attackers)',
'ransom note deployment'],
'third_party_assistance': ['Cisco Talos (research/analysis)']},
'threat_actor': 'Kraken ransomware group (linked to former HelloKitty group)',
'title': 'Kraken Ransomware Campaign with Benchmark-Driven Encryption',
'type': ['ransomware',
'data encryption',
'credential harvesting',
'data exfiltration'],
'vulnerability_exploited': ['exposed SMB services',
'weak or stolen credentials']}