Kraken Ransomware Expands Attacks to Windows, Linux, and VMware ESXi Systems

Cisco Talos researchers have uncovered a new wave of big-game-hunting and double-extortion attacks by the Russian-speaking Kraken ransomware group, which first surfaced in early 2025.

The group is believed to have evolved from the HelloKitty ransomware cartel, reusing similar infrastructure, ransom note formats, and targeting methods.

Cross-Platform Threat with Sophisticated Encryption

Kraken has emerged as a cross-platform ransomware family with distinct encryptors for Windows, Linux, and VMware ESXi systems, enabling it to target a wide range of enterprise environments.

In attacks during August 2025, Talos observed Kraken exploiting Server Message Block (SMB) vulnerabilities for initial access to Internet-exposed servers.

Once inside, the threat actors harvested administrator credentials, re-entered environments via Remote Desktop Protocol (RDP), and used tools like Cloudflared for persistence and SSH Filesystem (SSHFS) for data exfiltration.

Kraken employs RSA-4096 and ChaCha20 encryption algorithms, offering command-line flexibility for partial or full encryption of drives, SQL databases, network shares, and even Hyper-V virtual machines.

One notable feature is its encryption benchmarking capability, in which the ransomware runs performance tests on the victim machine before encrypting files. This allows operators to optimize speed while avoiding system instability that might draw defensive detection.

The ransomware appends the .zpsc extension to encrypted files and drops a ransom note named readme_you_ws_hacked.txt, demanding payment, sometimes up to one million USD in Bitcoin, to a designated wallet address.

Its Windows encryptor is a 32-bit executable, possibly packed with a Golang-based obfuscation layer, and includes functions to disable WoW64 filesystem redirection to reach protected directories on 64-bit systems.

It also employs anti-sandbox techniques such as execution delays, error mode suppression, and the deletion of restore points and backups.

The Linux and ESXi variants are 64-bit ELF binaries built with crosstool-NG and support platform detection via commands such as esxcli and uname. When executed on ESXi servers, Kraken lists and forcefully terminates running virtual machines before encrypting associated files.

After encryption, it removes logs, history, and even its own binary via an automated bash script to erase forensic traces.

Links to HelloKitty and New Underground Forum

Talos found evidence that Kraken maintains ties with HelloKitty operators, as the two groups share ransom note structures and even a mention of HelloKitty in Kraken’s data leak portal.

In September 2025, Kraken launched an underground forum called “The Last Haven Board,” intended for anonymous communication among cybercriminals and supported by HelloKitty members and exploit trader group WeaCorp.

Cisco’s detection coverage lists Snort SIDs 65479 and 65480, with ClamAV signatures Win.Ransomware.Kraken-10056931-0 and Unix.Ransomware.Kraken-10057031-0, helping defenders identify and block this fast-evolving threat.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Kraken Ransomware Expands Attacks to Windows, Linux, and VMware ESXi Systems appeared first on Cyber Security News.