Kraken Ransomware Now Benchmarking Victims
In the rapidly evolving world of cybercrime, the Kraken ransomware group stands out for its sophisticated tactics. It benchmarks victim systems before encrypting data. This rare approach allows Kraken to adapt encryption dynamically, maximizing damage while lowering detection risk. Emerging in 2025, Kraken appears to have roots in the former HelloKitty ransomware gang and is already drawing attention in cyber threat intelligence circles.
According to Cisco Talos researchers, Kraken is not a brand-new organization but a rebranding of HelloKitty. Several indicators support this link: the name of Kraken's data leak portal echoes HelloKitty, and the actors use the same ransom-note filename. Talos notes that Kraken first emerged in February 2025, likely founded by former HelloKitty members.
Talos researchers describe Kraken's attack chain as methodical and sophisticated. The intrusion typically begins with the exploitation of exposed Server Message Block (SMB) vulnerabilities on internet-facing servers, providing attackers with an initial foothold. Once inside, they work to maintain persistence and start exfiltrating data by harvesting administrative credentials.
Attackers re-enter the network through Remote Desktop Protocol and use tools such as Cloudflared to establish a covert reverse tunnel. Using SSHFS, they mount remote file systems for stealthy data transfer. Kraken prepares its encryption routine only after exfiltration. Even then, it proceeds cautiously by first testing system performance before launching full-scale encryption.
One of Kraken's most notable innovations is what Talos refers to as 'performance benchmarking'. This feature is rare in other ransomware families. Rather than rushing into encryption, Kraken creates a temporary test file filled with random data, encrypts it, measures the time it takes, and then deletes the file. Based on the results, Kraken decides whether to use full encryption or a partial, chunk-based approach.
This strategy offers a significant advantage
- It avoids system overload, which could trigger alarms or noticeably degrade performance.
- It helps optimize encryption speed, causing maximum disruption in the shortest time possible.
- It allows attackers to calibrate their approach to each victim's hardware, making the attack more efficient and less likely to be detected prematurely.
Kraken's encryptor is not limited to Windows; it targets Windows, Linux, and VMware ESXi environments. Its Windows version includes four distinct encryption modules:
- SQL Databases: It identifies Microsoft SQL Server instances and encrypts database files.
- Network Shares: It locates and encrypts shares accessible across the network, excluding system-critical shares like ADMIN$ and IPC$.
- Local Drives: All fixed, removable, and remote drives are enumerated and targeted.
- Virtual Machines: For Hyper-V environments, Kraken uses embedded PowerShell to stop VMs and encrypt their virtual disk files.
On Linux and ESXi systems, Kraken also benchmarks performance to determine whether to use full or partial multithreaded encryption. For ESXi hosts, it can terminate running virtual machines to access their disks. After encryption, Kraken runs a self-cleaning routine. It drops a script that deletes logs, clears shell history, removes the ransomware binary, and wipes itself.
Kraken's Strategic and Organizational Growth
In addition to advanced technical capabilities, Kraken is growing as an organization. The group has launched an underground forum called 'The Last Haven Board,' which it describes as a secure communications platform for cybercriminals.
Cisco Talos researchers suggest this is a signal of Kraken's ambitions beyond simple ransomware operations. They are building a structured ecosystem to support their community and activities.
To understand Kraken, one must revisit the HelloKitty saga, a prominent ransomware operation that has been active since November 2020. HelloKitty made headlines for its high-profile attack on CD Projekt Red, stealing source code for games such as The Witcher 3 and Cyberpunk 2077.
HelloKitty's operations became turbulent after a major incident. In October 2023, its full source code for the original version was leaked on a Russian-speaking hacking forum. A threat actor known as kapuchin0 and Gookee posted the leak. This included a Visual Studio solution, a decryptor, and the NTRUEncrypt library, which HelloKitty used for cryptographic routines.
By April 2024, HelloKitty rebranded as HelloGookie, apparently influenced by the person behind the earlier leak. To mark this shift, the actor released four private decryption keys for older HelloKitty versions. They also published data stolen from CD Projekt Red and Cisco. This rebranding raised questions about the actor's independence and whether the operation had truly changed or simply adopted a fresh name.
Kraken's benchmarking feature is more than just a technical novelty; it represents a mature form of ransomware strategy. By measuring how efficiently a system can handle encryption, the attackers can tailor their approach.
This has two major implications:
- Operational Efficiency: Kraken ensures it does not overtax a system. If a machine is slower, it may use partial encryption to avoid noticeable slowdowns that could alert defenders.
- Stealth: Benchmark-based encryption reduces the likelihood of detection by performance monitoring tools, as resource utilization is carefully calibrated.
These features, combined with cross-platform support and multi-module encryptors, make Kraken a highly flexible and dangerous adversary.
Kraken is a clear example of how ransomware groups are evolving. Instead of relying on brute force encryption, they are becoming more surgical and adaptive. By using system benchmarks, they maximize impact. These methods make ransomware attacks harder to detect and more effective at disabling victims.
The group's connection to HelloKitty is also significant. It suggests that well-known ransomware brands do not just fade away. They can re-emerge in new forms, with better tools and renewed ambitions. Kraken's creation of a cybercriminal forum highlights its intent to build an organized and sustainable operation.
For security teams and incident responders, Kraken's rise is a call to action. Monitoring for unusual file creation and tracking performance anomalies may help catch ransomware before it fully deploys. Defending SMB services, securing backup systems, and enforcing good credential hygiene remain essential.
Share:
Facebook
X.com
LinkedIn
Copy Link
Karolis Liucveikis
Experienced software engineer, passionate about behavioral analysis of malicious apps
Author and general operator of PCrisk's News and Removal Guides section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over 8 years working in this branch. He attended Kaunas University of Technology and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications.
PCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
DonatePCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
Donate
▼ Show Discussion