Ethical Hacking News
In a shocking move, Kraken ransomware has incorporated a novel benchmarking feature that optimizes encryption speed for maximum damage. This cutting-edge approach marks a significant departure from traditional ransomware tactics and highlights the evolving nature of modern cyber threats. To stay ahead in this cat-and-mouse game, cybersecurity experts must remain vigilant and continually update their defenses against emerging threats like Kraken ransomware.
Kraken ransomware has introduced a benchmarking feature to optimize encryption speed. The feature uses temporary files to determine between full and partial data encryption, allowing attackers to gauge machine capabilities in real-time. This optimization process helps Kraken operators find the "sweet spot" for maximum damage without triggering alerts due to intensive resource usage. The benchmarking feature is used after exploiting SMB vulnerabilities on internet-facing assets and extracting admin account credentials. Cloudflared and SSHFS tools are deployed to create reverse tunnels and enable lateral movement within the compromised network. The encryption command performs a performance benchmark on each machine, calculating speed and deciding whether to encrypt completely or partially. This approach makes Kraken a highly effective tool for maximizing damage before alerts are triggered. Kraken features four encryption modules tailored specifically for different systems, including Windows SQL databases and Hyper-V virtual machines. The attackers' ultimate goal is to encrypt valuable data and extort a ransom payment from the victim. Paying the ransom is often a desperate attempt to restore access to critical systems and data, especially when the stakes are high.
The world of ransomware has long been dominated by the likes of WannaCry, NotPetya, and other infamous actors that have wreaked havoc on computer systems worldwide. However, a relatively new player in the game has been making waves in recent months: Kraken ransomware. In this article, we will delve into the world of Kraken ransomware and explore its latest development – a benchmarking feature designed to optimize encryption speed.
According to researchers at Cisco Talos, Kraken's benchmarking feature is a rare capability that uses temporary files to determine between full and partial data encryption. This feature allows the attackers to gauge the machine's capabilities in real-time, assessing how quickly it can encrypt data without overloading it. In essence, this means that Kraken ransomware operators are trying to find the sweet spot where they can deal maximum damage without triggering alerts due to intensive resource usage.
But what drives this optimization process? According to Cisco Talos, Kraken attacks typically begin with the exploitation of SMB vulnerabilities on internet-facing assets, providing the threat actors with an initial foothold. From there, the attackers extract admin account credentials and use them to re-enter the environment via Remote Desktop Protocol (RDP) and deploy Cloudflared and SSHFS tools.
Cloudflared is used for creating a reverse tunnel from the victim host back to the attacker’s infrastructure, allowing exfiltration of data through mounted remote filesystems. Meanwhile, SSHFS enables the same operation, further facilitating lateral movement within the compromised network. Using persistent Cloudflared tunnels and RDP, Kraken operators navigate these networks, laying the groundwork for deploying ransomware binaries.
But here's where things get interesting: when the encryption command is issued, Kraken will perform a performance benchmark on each machine. This process includes creating a temporary file with random data, encrypting it in a timed operation, calculating the result, and then deleting the file. Based on the outcome, the encryption decides if the data will be encrypted completely or partially.
This speed calculation function is what sets Kraken apart from its peers. By using this approach, attackers can determine which machines are capable of handling the load without triggering alerts. This makes it a highly effective tool for maximizing damage before the system's owners even realize what's happening.
Cisco researchers also note that assessing machine capabilities is likely to happen quickly with the final stage of the attack and deal maximum damage without triggering alerts due to intensive resource usage. However, not all machines are created equal – Kraken features four encryption modules tailored specifically for Windows SQL database instances, network shares, local drives, and Hyper-V virtual machines.
For Linux/ESXi systems, Kraken enumerates and forcibly terminates running virtual machines to unlock their disk files, before performing multi-threaded full or partial encryption using the same benchmarking logic as the Windows version. The attackers' ultimate goal is clear: encrypting valuable data to extort a hefty ransom payment from the victim.
In one case, observed by Cisco Talos, the ransom demand reached a staggering $1 million in Bitcoin. But what drives this level of extortion? According to experts, paying the ransom is often a desperate attempt to restore access to critical systems and data, especially when the stakes are high.
The Kraken ransomware's quest for perfection is undoubtedly driven by its pursuit of maximum damage. Its benchmarking feature represents a significant departure from traditional ransomware tactics, reflecting the evolving nature of modern cyber threats. As such, it serves as a stark reminder that no system is ever completely secure – not even those touted to be impenetrable.
To stay ahead in this cat-and-mouse game, cybersecurity experts must remain vigilant and continually update their defenses against emerging threats like Kraken ransomware. By doing so, they can minimize the risk of falling prey to these cunning attackers and safeguard critical assets from falling into the wrong hands.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Kraken-Ransomwares-Quest-for-Perfection-A-Deep-Dive-into-its-Benchmarking-Feature-ehn.shtml
https://www.bleepingcomputer.com/news/security/kraken-ransomware-benchmarks-systems-for-optimal-encryption-choice/
https://blog.talosintelligence.com/kraken-ransomware-group/
Published: Thu Nov 13 20:58:15 2025 by llama3.2 3B Q4_K_M
