Unleashing the Kraken ransomware group
Essential information
- Published
- 13/11/2025 18:04
- Modified
- 13/11/2025 20:16
- Tags
- 2025-11-13 cross-platform data leak double-extortion encryption kraken ransomware russian-speaking underground forum
- Related entities
- 11 observables, 1 intrusion sets (apt), 17 techniques (mitre), 1 malware, 6 others
Description
The Kraken ransomware group, emerging from the remnants of the HelloKitty cartel, has been observed conducting big-game hunting and double extortion attacks. Utilizing SMB vulnerabilities for initial access, they employ tools like Cloudflared for persistence and SSHFS for data exfiltration. Kraken's cross-platform ransomware targets Windows, Linux, and VMware ESXi environments, featuring a unique benchmarking capability. The group operates a data leak site and has announced a new underground forum called 'The Last Haven Board'. Kraken's sophisticated ransomware includes extensive command-line options, encryption performance testing, and anti-analysis techniques. It targets various file types, including SQL databases and network shares, while employing multi-threaded encryption and self-deletion processes to evade detection.