In August 2025, a new ransomware threat emerged with capabilities that fundamentally changed how organizations should approach enterprise security.<\/p>\n
Kraken, a Russian-speaking cybercriminal group, began executing sophisticated attacks targeting large organizations across multiple continents.<\/p>\n
What makes Kraken particularly dangerous is its ability to attack Windows, Linux, and VMware ESXi systems with platform-specific tools, making it one of the first truly cross-platform ransomware threats to gain widespread notoriety in enterprise circles.<\/p>\n
The Kraken group appears to be connected to the HelloKitty<\/a> ransomware operation, with security researchers suspecting the group emerged from the remnants of that previous criminal organization.<\/p>\n This connection becomes evident through shared ransom note filenames and explicit references on the group\u2019s leak site.<\/p>\n In September 2025, Kraken announced a new underground forum called \u201cThe Last Haven Board,\u201d designed to create a secure communication hub for the cybercriminal community.<\/p>\n Notably, HelloKitty operators announced their support for this new platform, solidifying the link between these groups.<\/p>\n Cisco Talos security analysts identified<\/a> Kraken conducting double-extortion attacks in which victims are both encrypted and threatened with data publication.<\/p>\n The group employs a sophisticated multi-stage attack methodology that begins with SMB vulnerability exploitation on internet-exposed servers.<\/p>\n Once inside a system, attackers steal privileged credentials and use them to maintain persistent access through Remote Desktop Protocol connections.<\/p>\n To establish long-term presence, attackers deploy Cloudflared for creating reverse tunnels and SSH Filesystem tools for data exfiltration<\/a>.<\/p>\n Before deploying encryption, the ransomware<\/a> performs a unique benchmarking operation to measure how fast it can operate on the victim\u2019s machine without causing immediate detection through system resource exhaustion.<\/p>\n Kraken\u2019s technical sophistication becomes apparent through its extensive command-line options. The ransomware uses RSA-4096 and ChaCha20 encryption algorithms, providing strong cryptographic protection.<\/p>\n Attackers can customize attacks using parameters like timeout delays, file size limits, and encryption depth selections.<\/p>\n For Windows systems, the command format follows: Linux and ESXi versions use ELF binaries with options like daemon mode execution and SSH remote capabilities.<\/p>\n The ransomware features partial and full encryption modes, allowing attackers to optimize between encryption speed and maximum damage.<\/p>\n Notably, Kraken actively encrypts SQL databases<\/a> and network shares while automatically skipping critical system files and Program Files directories to maintain victim system functionality for ransom negotiations.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Kraken Cross-Platform Ransomware Attacking Windows, Linux, and VMware ESXi Systems in Enterprise Environments<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"Kraken](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjcghTidwX8mQwKcWebdTLapfpssQA7usNvvm2yu025xUYL-y6UymihLW5FVSN6u-RuwzwQVFFueotUe6gesIPqi-GSYkNXBlcLupIy9m76U860cq6kZeF8_OJk5SufKE_S5rLGe-3rXZi96ZVKmxSa2ijOvfHj9mRK22p6_ptHQGwnNDwKF-ieW6Raec0\/s16000\/Kraken%2520data%2520leak%2520blog%2520%28Source%2520-%2520Cisco%2520Talos%29.webp?ssl=1\")
![\"Kraken](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgz-XtV9oTJ1YTPEzifqEsx8O2c-eX5wRm_2gc9OlleqlcgheMiuR9lNOsEejZbI5IaE6_4FrKE-GsmaliacGY8t7YTa-UgMokU4N0XFY0C-mI8qRwlFYM5UrbMOJI8GgYC6x4bM6nGwbwth7ICRj1nbAf2q-SFKuW21FIC52oKuLDPWy9GglU99pYKwKE\/s16000\/Kraken%2520ransom%2520note%2520%28Source%2520-%2520Cisco%2520Talos%29.webp?ssl=1\")
![\"Kraken](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjTngiZ9LsSJua8J52QI1sV1DpONaMSKz0s8G5fEwLSqU0Gb6km0IGgCzRH59PByZK0RvRbpxZdsoJmcJ8p1PG83YXhem7f9djq1Ndj2LoekVtUT5oRPjDshIbKTOKEOY2Jx2nmWXjPfQd8EnNhJ8m7F9NzkuHPkD3N9soi5RslceXO6tuiQQhkQ3P500s\/s16000\/Kraken%2520infection%2520chain%2520%28Source%2520-%2520Cisco%2520Talos%29.webp?ssl=1\")
Encryption and Command-Line Flexibility<\/strong><\/h2>\n
Encryptor.exe \u2013key <32-byte key> -path <targeted path> -t<\/code>.<\/p>\n