Cisco Talos observed the Russian-speaking Kraken ransomware group (linked to HelloKitty) conducting big-game hunting and double-extortion attacks using SMB exploitation for initial access, Cloudflared for persistence, and SSHFS for data exfiltration before deploying cross-platform encryptors that append .zpsc and drop a âreadme_you_ws_hacked.txtâ ransom note. Kraken benchmarks victim machines to choose full or partial encryption, targets Windows, Linux, and ESXi (including SQL and VM files), and announced an underground forum âThe Last Haven Boardâ tied to HelloKitty and WeaCorp. #Kraken #HelloKitty
Keypoints
- Kraken, a Russian-speaking ransomware group emerging from HelloKitty remnants, uses double extortion and operates a public data leak site; victims span multiple countries including the US, UK, Canada, Denmark, Panama, and Kuwait.
- Initial access observed by Talos involved exploiting internet-exposed SMB vulnerabilities, followed by credential theft and re-entry via RDP using privileged accounts.
- Attackers established persistence using Cloudflared reverse tunnels and used SSHFS to navigate and exfiltrate sensitive data before encryption.
- Kraken is cross-platform with distinct encryptors for Windows (32-bit), Linux/ESXi (64-bit), and VMware ESXi, appending the .zpsc extension and dropping âreadme_you_ws_hacked.txtâ.
- The ransomware implements encryption benchmarking (performance tests) to decide full vs. partial encryption and supports targeted modules for SQL databases, network shares, local drives, Hyper-V/VMs.
- Extensive anti-analysis and anti-recovery measures are used: control-flow obfuscation, sandbox evasion (sleep delays), disabling WoW64 redirection, privilege elevation, stopping backup services, deleting restore points, and multi-stage self-deletion.
- Kraken provides many command-line options for attackers (e.g., -timeout, -solid, -limit, -noteonly, -tempfile, -tempsize) and includes operational flexibility for remote execution and selective encryption.
MITRE Techniques
- [T1210] Exploitation of Remote Services â Kraken exploited SMB vulnerabilities on internet-exposed servers for initial access (âthe Kraken actor gained initial access to the victimâs machine by exploiting an existing vulnerability in the SMB service on servers exposed to the internetâ).
- [T1078] Valid Accounts â The actor extracted valid administrator and privileged account credentials and re-entered via Remote Desktop using those credentials (âthey extracted valid administratorsâ and other privileged accountsâ credentials⌠re-entered the victim environment through a Remote Desktop connection using the exfiltrated privileged account credentialsâ).
- [T1098] Account Manipulation (persistence via external service) â Established persistent access by installing Cloudflared and configuring a reverse tunnel on the victim machine (âinstalled the Cloudflared tool and configuring a reverse tunnel on the victimâs machineâ).
- [T1048] Exfiltration Over Alternative Protocol â Used SSHFS to navigate the environment and exfiltrate sensitive data (âinstalled the SSHFS tool on the victim machine, utilizing it to navigate the victimâs environment and exfiltrate sensitive dataâ).
- [T1486] Data Encrypted for Impact â Deployed Kraken encryptors across Windows, Linux, and ESXi to encrypt files and append .zpsc, with ransom notes (âKraken encrypts the victimâs environment, uses the .zpsc file extension for the encrypted files, and drops a ransom note titled âreadme_you_ws_hacked.txt’â).
- [T1112] Modify Registry (to find SQL data paths) â The SQL encryption module queries SQL Server registry keys to locate database file paths (âthe module accesses the Microsoft SQL Server registry keys⌠retrieving the âSQLDataRootâ registry value to determine the path to the database filesâ).
- [T1490] Inhibit System Recovery â The ransomware stops backup services and deletes restore points (âstops the backup services, and executes the embedded command to remove all restore points⌠vssadmin delete shadows /all /quiteâ).
- [T1140] Deobfuscate/Decode Files or Information (anti-analysis/obfuscation) â Kraken employs control-flow obfuscation and other anti-analysis techniques to hinder detection and analysis (âemploys extensive control flow obfuscation with multiple conditional loops throughout the codeâ).
- [T1070] Indicator Removal on Host â Performs multi-stage self-deletion and cleanup to remove logs, history, and binaries (âcreates a bash script â_bye_bye_.shâ ⌠delete the log files, shell history, ransomware binary, and the script itselfâ).
- [T1499] Endpoint Denial of Service (stopping VMs) â For ESXi and Hyper-V, the ransomware force-stops VMs to unlock files for encryption (âforcefully stops all running virtual machinesâ / âesxcli vm process kill âtype=force âworld-id=â).
Indicators of Compromise
- [File extension] Encrypted file marker â .zpsc (used by Kraken to mark encrypted files)
- [Ransom note filename] Ransom note â readme_you_ws_hacked.txt (dropped by Kraken to instruct victims)
- [Tool names] Tools used in intrusion â Cloudflared (persistence), SSHFS (exfiltration)
- [Commands / Artifacts] Anti-recovery and cleanup commands â âvssadmin delete shadows /all /quiteâ, creation of â_bye_bye_.shâ script
- [Snort SIDs / detections] Detection signatures â Snort SIDs 65480, 65479; ClamAV detections Win.Ransomware.Kraken-10056931-0, Unix.Ransomware.Kraken-10057031-0
Read more: https://blog.talosintelligence.com/kraken-ransomware-group/