Skip to content
Ransomware group

Kraken

Kraken is a ransomware operation and ransomware-as-a-service (RaaS) threat that emerged in 2025 and is linked to remnants of the HelloKitty ransomware cartel; Cisco Talos described it as a Russian-speaking group and a descendant/continuation of HelloKitty.

Profile source: Mallory opens in a new tab

Kraken

Family profile

Kraken is a ransomware operation and ransomware-as-a-service (RaaS) threat that emerged in 2025 and is linked to remnants of the HelloKitty ransomware cartel; Cisco Talos described it as a Russian-speaking group and a descendant/continuation of HelloKitty. It conducts big-game hunting and double-extortion attacks, stealing data before encryption and using leak-site pressure. Kraken targets Windows, Linux, and VMware ESXi environments with distinct platform-specific encryptors. Talos reported that the malware benchmarks each victim machine before encryption to determine whether to use full or partial encryption without overloading the system. Observed intrusion activity includes exploitation of SMB vulnerabilities for initial access, theft of administrative credentials, re-entry via RDP, and use of Cloudflared reverse tunnels and SSHFS for lateral movement and data exfiltration. Before encryption, Kraken deletes shadow volumes, clears the Recycle Bin, and stops backup services. The Windows variant includes modules to encrypt Microsoft SQL Server data files, local drives, reachable network shares, and Hyper-V virtual disk files. The Linux/ESXi variant enumerates and forcibly terminates virtual machines to unlock disk files for encryption. After execution, a cleanup script named bye_bye.sh removes logs, shell history, the ransomware binary, and the script itself. Reported file artifacts include the .zpsc extension on encrypted files and a ransom note named readme_you_ws_hacked.txt. Cisco Talos observed at least one case with a $1 million ransom demand in Bitcoin. Kraken has also been associated with a cybercrime forum called “The Last Haven Board.” Victims listed on its leak sites were reported in the United States, United Kingdom, Canada, Panama, Kuwait, and Denmark.

Ransomware.live

Operational record

View group record ↗

MITRE ATT&CK

Kraken in ATT&CK

2 distinct techniques

Reporting

Research mentioning Kraken

Dec 31
Cyberthrone

CyberSecurity 2025: TheCyberThrone YearEnd Consolidated Intelligence

Subscribers favorite #1 Kraken and Zorab: New Menaces in the 2025 Ransomware Landscape Kraken ransomware has surfaced as a formidable player in ransomware-as-a-service (RaaS), linked to…

Dec 9
Dragos

Dragos Industrial Ransomware Analysis: Q3 2025 | Dragos

“Lower-volume Groups… including Kraken… recorded 2–4 incidents…”

Dec 1
Cyberthrone

TheCyberThrone CyberSecurity Newsletter Top 5 Articles – November 2025

Kraken ransomware has surfaced as a formidable player in ransomware-as-a-service (RaaS), linked to the remnants of the notorious HelloKitty ransomware cartel. What sets Kraken apart is its multi-platform targeting strategy—impacting not only Windows environments but also Linux systems and VMware ESXi hypervisors. The group employs distinct encryptors customized for each platform, which highlights their operational maturity.

Nov 20
Talos Intelligence

It’s not personal, it’s just business

In August 2025, Cisco Talos observed big-game hunting and double extortion attacks carried out by Kraken, a Russian-speaking group...

Nov 14
Risky Biz Rss

Risky Bulletin: Europol takes down Elysium, VenomRAT, and Rhadamanthys infrastructure

Kraken ransomware: Cisco Talos looks at Kraken, a ransomware group that emerged in February out of the ashes of the old HelloKitty gang.

Nov 14
Cyberthrone

Kraken and Zorab: New Menaces in the 2025 Ransomware Landscape

"Kraken ransomware has surfaced as a formidable player in ransomware-as-a-service (RaaS), linked to the remnants of the notorious HelloKitty ransomware cartel... impacting not only Windows environments but also Linux systems and VMware ESXi hypervisors."

Nov 14
Scworld

Benchmarking optimizes Kraken ransomware encryption

"HelloKitty ransomware descendant Kraken ransomware gang has been evaluating targeted Windows, Linux, and VMware ESXi machines to ensure optimized data encryption..."

Nov 13
Talos Intelligence

Viasat and the terrible, horrible, no good, very bad day

Cisco Talos published a new blog today on the Kraken ransomware group. Linked to HelloKitty, they double-extort organizations globally with cross-platform attacks and use advanced techniques like encryption benchmarking and anti-analysis. Kraken has also launched a new underground forum to strengthen ties within the cybercrime community.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.