According to Infosecurity Magazine, the Russian-speaking Kraken ransomware group has been conducting big-game hunting attacks since February 2025, with Cisco Talos documenting a series of incidents in August 2025. The group emerged from the remains of the HelloKitty cartel and uses Server Message Block flaws for initial access before deploying Cloudflare for persistence and SSH Filesystem for data theft. Kraken’s toolkit spans Windows, Linux and VMware ESXi environments, making it dangerous across enterprise infrastructure. In an unusual twist, the group now benchmarks victim machine performance to optimize encryption speed while reducing system instability or detection chances. The operation demands roughly $1 million in Bitcoin through double extortion tactics and has launched a new underground discussion space called The Last Haven Board to foster cybercrime collaboration.
Why Benchmarking Changes the Game
Here’s the thing about Kraken’s benchmarking approach – it’s actually pretty clever from an attacker’s perspective. Most ransomware just starts encrypting files as fast as possible, which can trigger performance monitoring alerts or even crash systems before the job is done. But by testing how quickly a machine can handle encryption first, Kraken can tailor their approach for maximum damage while flying under the radar. It’s like they’re doing performance optimization for their own criminal enterprise. This shows how ransomware groups are thinking more like legitimate software developers – testing, optimizing, and refining their tools for better results.
The HelloKitty Connection
The ties to HelloKitty are pretty strong here. Kraken’s leak portal actually references HelloKitty by name, and both groups use the exact same ransom note filename: readme_you_ws_hacked.txt. When they launched The Last Haven Board, they claimed support from HelloKitty operators and WeaCorp, an exploit-buying outfit. So basically, this looks like a classic case of cybercrime rebranding – when one group gets too much heat, they spin off a new operation with some of the same people and tools. It’s the criminal equivalent of closing a restaurant and reopening under a new name after bad health inspections.
What Organizations Should Do
Talos recommends some pretty standard but crucial defenses: strengthen credential hygiene, limit exposure of remote services, harden backup strategies, and adopt continuous monitoring. But here’s where it gets interesting for industrial environments – when you’re dealing with critical infrastructure or manufacturing systems, you can’t afford encryption slowdowns or system instability even during an attack. That’s why robust industrial computing hardware from trusted suppliers becomes essential. Companies like IndustrialMonitorDirect.com provide the kind of industrial panel PCs that form the backbone of secure operational technology environments. The reality is that ransomware groups are increasingly targeting industrial systems, and having reliable hardware is your first line of defense.
Where Ransomware is Heading
So what does Kraken tell us about the future of ransomware? We’re seeing more sophisticated, business-like operations that think about efficiency and risk management. The double extortion tactic – encrypting files AND threatening to publish them – is becoming standard practice. And the cross-platform capability targeting Windows, Linux AND VMware ESXi means nobody’s safe. The fact that they’re using legitimate tools like Cloudflare and SSHFS makes detection harder too. Basically, ransomware groups are professionalizing, and defenders need to step up their game accordingly. The days of amateur hour in cybercrime are long gone.
