Kraken ransomware adds CPU/IO benchmarking—what to hunt before the encryptor runs

On November 13, 2025, reporting highlighted that the cross-platform Kraken ransomware profiles victim machines first, benchmarking disk/CPU to choose between full or partial encryption and tune threads to avoid tripping resource alarms BleepingComputer. Cisco Talos’ deep dive confirms host-side performance tests via a temporary file and command-line switches, plus distinct encryptors for Windows and Linux/VMware ESXi that append “.zpsc” and drop “readme_you_ws_hacked.txt” Talos. Talos also notes ties to the older HelloKitty operation and a Kraken-hosted forum announcement (“The Last Haven Board”), a link also observed by independent analysis of Kraken’s leak site Talos Cyjax.

Intrusion Flow

• Initial access and staging
  • Observed exploitation of internet-facing SMB services, followed by credential theft and re-entry via RDP Talos.
  • Operators install Cloudflared to establish outbound-only reverse tunnels (no inbound ports required), then use SSHFS to mount remote storage for exfiltration Talos Cloudflare docs SSHFS manpage.
• Pre-encryption benchmark and cleanup
  • Kraken supports “-tests”, “-tempfile”, and “-tempsize” switches to create, encrypt, time, and delete a temp file, then select full (“-solid”) or partial (“-step”, “-limit”) encryption accordingly Talos.
  • Before encryption, it stops backup services, deletes shadow copies via vssadmin, and empties the Recycle Bin (SHEmptyRecycleBinA) to hinder recovery Talos Microsoft vssadmin.
• Platform-specific behavior
  • Windows modules target: SQL databases (registry discovery of instance roots), network shares (WNet APIs), local drives, and Hyper-V (PowerShell Get-VM/Stop-VM to stop VMs before encrypting disks) Talos Microsoft WNet GetLogicalDrives Hyper-V PS docs.
  • Linux/ESXi encryptor detects platform, terminates running VMs, and then encrypts; ESXi termination aligns with esxcli vm process list/kill semantics (soft/hard/force) Talos VMware esxcli reference.
  • Post-encryption, a “bye_bye.sh” script purges logs, shell history, and the binary on Linux/ESXi to reduce artifacts Talos.

Key Artifacts to Pull

• Windows hosts
  • Prefetch: execution traces of the encryptor and helper tools at C:\Windows\Prefetch (look for run count, last run, and referenced files/paths) Forensics Wiki.
  • SRUM: C:\Windows\System32\SRU\SRUDB.dat for per-hour app runs and network/disk I/O that can surface the benchmarking temp-file cycle and exfil process activity Elcomsoft artefacts.help.
  • USN Journal: NTFS $Extend$UsnJrnl:$J for creation/encryption/rename/unlink of large temp files and mass edits during the benchmark and detonation phases artefacts.help.
  • Eventing:
    • Security 4624 logons (RDP LogonType 10) and network logons (3) to correlate re-entry and lateral movement MS 4624.
    • TerminalServices-RemoteConnectionManager/Operational ID 1149 for RDP connection attempts Windows OS Hub.
    • Sysmon Event ID 1 process creation for command lines containing “-tests”, “-tempfile”, “-tempsize”, vssadmin invokes, PowerShell Get-VM/Stop-VM, and Cloudflared execution Sysmon.
  • Cloudflared: check for the service/process and logs (defaults to stdout; “–logfile” can persist to disk) and look for config at ~/.cloudflared/config.yml (or service-managed locations) Cloudflare logs Cloudflare config.
  • SQL instance discovery artifacts: HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\SQL and related instance roots that the SQL module targets SQLines.
• Linux/ESXi hosts
  • ESXi logs for VM termination and shell activity: /var/log/hostd.log, /var/log/vmkernel.log, /var/log/vpxa.log, and /var/log/shell.log, plus VM vmware.log on datastores VMware docs.
  • Evidence of esxcli vm process list/kill usage consistent with forced VM shutdown prior to encryption VMware esxcli reference.
  • Cloudflared configuration and service state if used on Linux jump hosts (e.g., ~/.cloudflared/config.yml or /etc/cloudflared when installed as a service) Cloudflare service.

Detection Notes

• Pre-encryption benchmarking
  • Alert on processes invoking “-tests”, “-tempfile”, “-tempsize” together, rapid create/write/delete of a large file in temp paths, and subsequent high-fan-out file opens by the same parent process Talos Sysmon.
• Backup/anti-recovery actions
  • vssadmin delete shadows, wbadmin stop writers, and SHEmptyRecycleBinA API usage (instrument via EDR/ETW or correlate with Sysmon ProcessCreate) Talos Microsoft vssadmin.
• Windows targeting behaviors
  • WNet* enumeration of shares (RESOURCETYPE_DISK) and GetLogicalDrives bursts; PowerShell Get-VM/Stop-VM sequences and VM file access (VHDX paths) Microsoft WNet GetLogicalDrives Hyper-V PS docs.
• Linux/ESXi behavior
  • esxcli vm process kill events and rapid VM disk file access post-kill (vmware.log/hostd.log/vmkernel.log) VMware docs VMware esxcli reference.
• Tunneling/exfiltration
  • Cloudflared execution, config presence, and egress to Cloudflare Tunnel endpoints; the daemon is outbound-only and commonly runs as a service-monitor process creation and network connects, not only inbound firewall logs Cloudflare docs Tunnel with firewall.

Response Guidance

• Containment
  • Block or tightly proxy outbound to Cloudflare Tunnel endpoints during triage to choke attacker tunnels; Cloudflared typically egresses to specific hosts/port 7844 (http2/quic) per guidance-align firewall egress filters with your environment’s intended use first to avoid breaking business traffic Tunnel with firewall.
  • On ESXi, prioritize isolating management interfaces and auditing recent shell access; review hostd/vmkernel/vpxa logs and halt any encryption processes before attempting VM recoveries VMware docs VMware esxcli reference.
• Live response checklist (fast triage)
  • Pull volatile process lists, open handles, and network connections; capture command lines referencing “-tests/-temp*” and vssadmin invocations Sysmon Microsoft vssadmin.
  • Snapshot artifact sets: Prefetch, SRUM, USN Journal, and Windows Security/Sysmon/RDP logs; collect Cloudflared config/logs if present Forensics Wiki Elcomsoft artefacts.help USN Cloudflare logs.
  • Identify SQL/Hyper-V targeting by enumerating the registry and recent PowerShell history for Get-VM/Stop-VM usage before encryption SQLines Hyper-V PS docs.
• Recovery
  • Expect shadow copies to be wiped; rely on offline/immutable backups and hypervisor-level snapshots that predate the incident. Validate for mass VM force-kill in ESXi logs to time-bound restore points Talos VMware docs.

Takeaways

• Add detections for Kraken’s pre-encryption benchmark switches and the temp-file create/encrypt/delete pattern; it’s your earliest high-signal pivot Talos.
• Monitor and restrict Cloudflared where not explicitly approved; it’s outbound-only by design and frequently abused for persistence/remote access Cloudflare docs.
• Harden virtualization: alert on Get-VM/Stop-VM on Windows and esxcli vm process kill on ESXi; investigate any forced VM shutdowns around the time of encryption Hyper-V PS docs VMware esxcli reference.
• Prioritize artifact pulls that survive self-deletion: Prefetch, SRUM, USN, and hypervisor logs will carry the story even if binaries and shell history are scrubbed Forensics Wiki Elcomsoft artefacts.help USN.