Kraken
Kraken is a ransomware operation and ransomware-as-a-service (RaaS) threat that emerged in 2025 and is linked to remnants of the HelloKitty ransomware cartel; Cisco Talos described it as a Russian-speaking group and a descendant/continuation of HelloKitty.
Profile source: Mallory opens in a new tabKraken
Family profile
Kraken is a ransomware operation and ransomware-as-a-service (RaaS) threat that emerged in 2025 and is linked to remnants of the HelloKitty ransomware cartel; Cisco Talos described it as a Russian-speaking group and a descendant/continuation of HelloKitty. It conducts big-game hunting and double-extortion attacks, stealing data before encryption and using leak-site pressure. Kraken targets Windows, Linux, and VMware ESXi environments with distinct platform-specific encryptors. Talos reported that the malware benchmarks each victim machine before encryption to determine whether to use full or partial encryption without overloading the system. Observed intrusion activity includes exploitation of SMB vulnerabilities for initial access, theft of administrative credentials, re-entry via RDP, and use of Cloudflared reverse tunnels and SSHFS for lateral movement and data exfiltration. Before encryption, Kraken deletes shadow volumes, clears the Recycle Bin, and stops backup services. The Windows variant includes modules to encrypt Microsoft SQL Server data files, local drives, reachable network shares, and Hyper-V virtual disk files. The Linux/ESXi variant enumerates and forcibly terminates virtual machines to unlock disk files for encryption. After execution, a cleanup script named bye_bye.sh removes logs, shell history, the ransomware binary, and the script itself. Reported file artifacts include the .zpsc extension on encrypted files and a ransom note named readme_you_ws_hacked.txt. Cisco Talos observed at least one case with a $1 million ransom demand in Bitcoin. Kraken has also been associated with a cybercrime forum called “The Last Haven Board.” Victims listed on its leak sites were reported in the United States, United Kingdom, Canada, Panama, Kuwait, and Denmark.
Ransomware.live
Operational record
MITRE ATT&CK
Kraken in ATT&CK
2 distinct techniquesReporting
Research mentioning Kraken
CyberSecurity 2025: TheCyberThrone YearEnd Consolidated Intelligence
Subscribers favorite #1 Kraken and Zorab: New Menaces in the 2025 Ransomware Landscape Kraken ransomware has surfaced as a formidable player in ransomware-as-a-service (RaaS), linked to…
Dragos Industrial Ransomware Analysis: Q3 2025 | Dragos
“Lower-volume Groups… including Kraken… recorded 2–4 incidents…”
TheCyberThrone CyberSecurity Newsletter Top 5 Articles – November 2025
Kraken ransomware has surfaced as a formidable player in ransomware-as-a-service (RaaS), linked to the remnants of the notorious HelloKitty ransomware cartel. What sets Kraken apart is its multi-platform targeting strategy—impacting not only Windows environments but also Linux systems and VMware ESXi hypervisors. The group employs distinct encryptors customized for each platform, which highlights their operational maturity.
It’s not personal, it’s just business
In August 2025, Cisco Talos observed big-game hunting and double extortion attacks carried out by Kraken, a Russian-speaking group...
Risky Bulletin: Europol takes down Elysium, VenomRAT, and Rhadamanthys infrastructure
Kraken ransomware: Cisco Talos looks at Kraken, a ransomware group that emerged in February out of the ashes of the old HelloKitty gang.
Kraken and Zorab: New Menaces in the 2025 Ransomware Landscape
"Kraken ransomware has surfaced as a formidable player in ransomware-as-a-service (RaaS), linked to the remnants of the notorious HelloKitty ransomware cartel... impacting not only Windows environments but also Linux systems and VMware ESXi hypervisors."
Benchmarking optimizes Kraken ransomware encryption
"HelloKitty ransomware descendant Kraken ransomware gang has been evaluating targeted Windows, Linux, and VMware ESXi machines to ensure optimized data encryption..."
Viasat and the terrible, horrible, no good, very bad day
Cisco Talos published a new blog today on the Kraken ransomware group. Linked to HelloKitty, they double-extort organizations globally with cross-platform attacks and use advanced techniques like encryption benchmarking and anti-analysis. Kraken has also launched a new underground forum to strengthen ties within the cybercrime community.