Kraken Ransomware Adopts Sophisticated Benchmarking to Optimize Encryption Speeds

In the ever-evolving landscape of cyber threats, the Kraken ransomware has distinguished itself with a particularly insidious innovation: the ability to benchmark infected systems to determine the optimal encryption strategy. According to researchers at Cisco Talos, this rare capability allows the ransomware to balance speed and system load, potentially maximizing the damage while evading detection through intensive resource usage.

The Evolution of a Threat Actor

First emerging at the beginning of 2025, Kraken represents a continuation of the HelloKitty ransomware operation, which gained prominence in 2021 before its source code was leaked. The rebranding appears to be a strategic move by the threat actors to continue their operations under a new identity.

Evidence of this connection can be found in various mentions on Kraken's data leak sites and similarities in ransom notes. The group has also established a new cybercrime forum named "The Last Haven Board" to facilitate supposedly secure communications and exchanges among cybercriminals.

The Kraken ransomware has engaged in what security researchers term "big-game hunting" attacks—targeting larger organizations with the dual threat of data encryption and data theft for double extortion. Their victim list includes organizations across multiple countries, including the United States, the UK, Canada, Panama, Kuwait, and Denmark.

A Multi-Stage Attack Chain

Kraken's attack methodology follows a sophisticated pattern that begins with exploiting SMB vulnerabilities on internet-facing assets to establish an initial foothold in the target network.

Once inside, the attackers extract administrative account credentials and use them to re-enter the environment via Remote Desktop Protocol (RDP). They then deploy two specialized tools: Cloudflared and SSHFS.

Cloudflared creates a reverse tunnel from the victim host back to the attacker's infrastructure, providing persistent access. SSHFS, meanwhile, allows for the exfiltration of data through mounted remote filesystems.

Using these persistent Cloudflared tunnels and RDP access, Kraken operators navigate compromised networks, moving laterally to all reachable machines. During this reconnaissance phase, they steal valuable data and prepare the environment for the eventual deployment of ransomware binaries.

The Benchmarking Innovation

What sets Kraken apart from other ransomware variants is its performance benchmarking capability. When the encryption command is issued, the ransomware conducts a systematic evaluation of each machine's capabilities.

The process involves:
1. Creating a temporary file filled with random data
2. Encrypting this file in a timed operation
3. Calculating the results
4. Deleting the temporary file

Based on the results of this benchmark, Kraken decides whether to perform full or partial encryption on the system. This calculated approach suggests the operators are optimizing for both speed and stealth—seeking to encrypt as much data as possible without triggering alerts that might arise from excessive system resource usage.

Before initiating encryption, Kraken takes several preparatory steps:
- Deletes shadow volumes and the Recycle Bin
- Stops backup services running on the system
- Ensures no recovery options remain for the victim

Targeted Encryption Modules

The Windows version of Kraken features four specialized encryption modules designed to target specific system components:

1. SQL Database Module: Identifies Microsoft SQL Server instances through registry keys, locates their database file directories, verifies the paths, and encrypts the SQL data files.

2. Network Share Module: Enumerates accessible network shares via WNet APIs, ignores ADMIN$ and IPC$ shares (typically used for administration), and encrypts files on all other reachable shares.

3. Local Drive Module: Scans available drive letters, targets removable, fixed, and remote drives, and encrypts their contents using separate worker threads for parallel processing.

4. Hyper-V Module: Uses embedded PowerShell commands to list virtual machines, obtain their virtual disk paths, forcibly stop running VMs, and encrypt the associated VM disk files.

The Linux/ESXi version follows a similar approach, enumerating and forcibly terminating running virtual machines to unlock their disk files before performing multi-threaded full or partial encryption using the same benchmarking logic as the Windows version.

The Aftermath and Cleanup

After completing the encryption process, Kraken executes an auto-generated 'bye_bye.sh' script designed to cover the attackers' tracks. This script removes all logs, shell history, the Kraken binary itself, and finally the script.

Encrypted files are appended with the '.zpsc' file extension, and a ransom note named 'readme_you_ws_hacked.txt' is dropped in impacted directories. In observed cases, ransom demands have reached as high as $1 million, payable in Bitcoin.

Implications for Security Professionals

The sophistication of Kraken's benchmarking capability represents a concerning evolution in ransomware tactics. By optimizing encryption speed based on system capabilities, attackers can maximize their impact while minimizing the likelihood of detection through system slowdowns or crashes.

This development underscores the importance of:
- Regular system patching to prevent initial access via SMB vulnerabilities
- Implementing robust endpoint protection capable of detecting suspicious behavior patterns
- Maintaining offline backups that are isolated from network connections
- Monitoring for unusual network activity, especially reverse tunneling attempts
- Having an incident response plan specifically for ransomware attacks

As ransomware operators continue to refine their techniques, security professionals must remain vigilant and adapt their defense strategies accordingly. The Kraken ransomware's benchmarking capability is a stark reminder that the threat landscape is constantly evolving, requiring equally sophisticated defensive measures.

Cisco Talos has made the complete indicators of compromise (IoCs) associated with Kraken ransomware attacks available in a GitHub repository, enabling organizations to detect and respond to potential infections.