Welcome to another episode of Humans of Talos! This week, Amy sits down with William (Bill) Largent from the Strategic Planning and Communications team. Bill’s role as Senior Security Researcher spans from threat research to communicating Talos’s critical work to internal teams, partners, and customers.

Join us as Bill shares what drew him to Talos, how his love of reading has shaped his cybersecurity ethos, and the key insights he shares for the next generation of cybersecurity professionals.

Amy Ciminnisi: Bill, it’s great to have you on. You’re part of my team in Strategic Planning and Communications. Can you tell us a little bit about what you do here at Talos?

Bill Largent: Generally speaking, most of my time is still spent on threat research and hunting. About 25 to 30% of the time, they have me talk to people. They let me out of the cage for a little while and put me in front of people. I get to talk to internal Cisco teams and to a lot of partners, which is really interesting. I discuss the state of things, help them understand what’s going on in the threat landscape, and explain what Talos is and how we do things. I also get to talk to customers, which is really fun. My background is in vendor-agnostic remote managed services, so I ran SOCs for years. Talking to people who are doing that now is really refreshing.

AC: You’ve been at Cisco for a while. What made you want to join Talos, and how did that career transition go for you?

BL: It’s really interesting. I’ve been here a long time. If you look me up in the directory, you’ll see my photo is about 24 years old. It was taken on a Saturday or Sunday night at 2 or 3 a.m. because I was working overnight shifts, so it looks exactly like you’d imagine. Getting to Talos was about seeking out smarter people. I believe if you’re the smartest person in the room, you’re in the wrong room, so I started tracking where the smarter people were and went there.

As a member of Talos, there’s never a smarter room than the Talos room. It’s insane, and I mean that for any topic you can think of — chaos theory, mathematics, planetary science, beer making… You name it, someone in Talos is an expert. It’s honestly great. That’s how I came to Talos: trying to find the smartest people in the room.

AC: Is working with people and especially people on Talos your favorite thing about your role, or are there other aspects you love?

BL: For me, the people are a massive differentiator from working anywhere else. I feel super supported and engaged all the time. Beyond the people, what’s interesting about cybersecurity is that it evolves so fast and changes so much that you’re never in a state of stasis. There’s always something new to learn, and even though it’s all cyclical and some things come back around, there’s a lot of difference day to day. It keeps my brain occupied. I also have the support of people who encourage me to go learn things that interest me.

Want to see more? Watch the full interview, and don’t forget to subscribe to our YouTube channel for future episodes of Humans of Talos.

Cisco Talos Blog – ​Read More

Malicious browser extensions remain a significant blind spot for many organizations’ cybersecurity teams. They’ve become a permanent fixture in the cybercriminal arsenal, used for session and account theft, espionage, masking other criminal activity, ad fraud, and cryptocurrency theft. High-profile incidents involving malicious extensions are frequent — ranging from the compromise of the Cyberhaven security extension to the mass publication of infostealer extensions.

Extensions are appealing to attackers because they’re granted permissions and wide-ranging access to information within SaaS applications and websites. Because they’re not standalone applications, they often slip past standard security policies and control tools.

A company’s security team must tackle this problem systematically. Managing browser extensions requires a combination of policy management tools and specialized extension-analysis services or utilities. This topic was the focus of Athanasios Giatsos’ talk at the Security Analyst Summit 2025.

Threat capabilities of web extensions and innovations in Manifest V3

A browser’s web extension has broad access to web page information: it can read and modify any data available to the user through the web application, including financial or medical records. Extensions also often gain access to important data typically unseen by users: cookies, local storage, and proxy settings. This greatly simplifies session hijacking. Sometimes, the capabilities of extensions extend far beyond web pages: they can access the user’s location, browser downloads, desktop screen capture, clipboard content, and browser notifications.

In the previously dominant extension architecture, Manifest V2 extensions — which worked across Chrome, Edge, Opera, Vivaldi, Firefox, and Safari — are virtually indistinguishable from full-fledged applications in terms of capabilities. They can continuously run background scripts, keep invisible web pages open, load and execute scripts from external websites, and communicate with arbitrary sites to retrieve or send data. To curb potential abuse — as well as to limit ad blockers — Google transitioned Chromium and Chrome to Manifest V3. This update limited or blocked many extension features. Extensions must now declare all the sites they communicate with, are prohibited from executing dynamically loaded third-party code, and must use short-lived micro-services instead of persistent background scripts. While some types of attacks are now harder to execute due to the new architecture, attackers can easily rewrite their malicious code to retain most necessary functions while sacrificing stealth. Therefore, relying solely on browsers and extensions operating under Manifest V3 within an organization simplifies monitoring, but is not a panacea.

Furthermore, V3 doesn’t address the core problem with extensions: they’re generally downloaded from official application stores using legitimate Google, Microsoft or Mozilla domains. Their activity appears to be initiated by the browser itself, making it extremely difficult to distinguish actions performed by an extension from those manually executed by the user.

How malicious extensions emerge

Drawing from various public incidents, Athanasios Giatsos highlights several scenarios where malicious extensions can rear their ugly heads:

• The original developer sells a legitimate and popular extension. The buyer then “enhances” it with malicious code for ad display, espionage, or other nefarious purposes. Examples include The Great Suspender and Page Ruler.
• Attackers compromise the developer’s account and publish a trojanized update for an existing extension, as was the case with Cyberhaven.
• The extension is designed to be malicious from the beginning. It either masquerades as a helpful utility, such as a fake Save to Google Drive tool, or mimics the names and designs of popular extensions, like the dozens of AdBlock clones available.
• A more sophisticated version of this scheme involves initially publishing the extension in a clean state, where it performs a genuinely useful function. Malicious additions are then introduced weeks or even months later, once the extension has gained enough popularity. ChatGPT for Google is one example.

In all these scenarios, the extension is widely available in the Chrome Web Store and sometimes even advertised. However, there’s also a targeted attack scenario where phishing pages or messages prompt victims to install a malicious extension that’s not available to the general public.

Centralized distribution through the Chrome Web Store, combined with automated updates for both the browser and extensions, often results in users unknowingly ending up with a malicious extension without any effort on their part. If an extension already installed on a computer receives a malicious update, it will be installed automatically.

Organizational defenses against malicious extensions

In his talk, Athanasios offered a number of general recommendations:

• Adopt a company policy regarding the use of browser extensions.
• Prohibit any extensions not explicitly included in a list approved by the cybersecurity and IT departments.
• Continuously audit all installed extensions and their versions.
• When extensions are updated, track changes in permissions they’re granted, and monitor any changes in the ownership of the extensions or their developer team.
• Incorporate information about the risks of, and rules for, using browser extensions into security awareness training programs for all employees.

We add a few practical insights and specific considerations to these recommendations.

Restricted list of extensions and browsers. In addition to applying security policies to the company’s officially approved browser, it’s crucial to prohibit the installation of portable versions and trendy AI browsers like Comet or other unauthorized solutions that allow the same dangerous extensions to be installed. When implementing this step, ensure that local administrator privileges are restricted to the IT staff and other personnel whose job duties strictly require them.

As part of the policy for the company’s main browser, you should disable developer mode and prohibit the installation of extensions from local files. For Chrome, you can manage this via the Admin console. These settings are also available through Windows Group Policies, macOS configuration profiles, or via a JSON policy file on Linux.

Managed updates. Implement version pinning to prevent updates for allowed extensions from being installed company-wide immediately. The IT and cybersecurity teams need to regularly test new versions of approved extensions and pin the updated versions only after they’ve been vetted.

Multi-layered defense. It’s mandatory to install an EDR agent on all corporate devices to prevent users from launching unauthorized browsers, mitigate the risks of visiting malicious phishing sites, and block malware downloads. It’s also necessary to track DNS requests and browser network traffic at the firewall level for real-time detection of communications with suspicious hosts and other anomalies.

Continuous monitoring. Use EDR and SIEM solutions to collect browser state details from employee workstations. This includes the list of extensions in each installed browser, along with the manifest files for version and permission analysis. This allows for the rapid detection of new extensions being installed or the version being updated and granted permission changes.

How to vet browser extensions

To implement the controls discussed above, the company needs an internal database of approved and prohibited extensions. Unfortunately, application stores and the browsers themselves offer no mechanisms to assess risk on an organizational scale, or to automatically populate such a list. Therefore, the cybersecurity team has to create both this process and the list. Employees will also need a formal procedure for submitting requests to add extensions to the approved list.

The assessment of business need and available alternatives is best conducted with a representative from the relevant business unit. However, the risk assessment remains entirely the responsibility of the security team. It’s not necessary to manually download extensions and cross-reference them across different extension stores. This task can be handled by a range of tools, such as open-source utilities, free online services, and commercial platforms.

Services like Spin.AI and Koidex (formerly ExtensionTotal) can be used to gauge the overall risk profile. Both maintain a database of popular extensions, so assessment is typically instant. They use LLMs to generate a brief summary of the extension’s properties, but also provide detailed analysis, including required permissions, the developer’s profile, and the history of versions, ratings, and downloads.

To examine core data on extensions, you can also use Chrome-Stats. While primarily designed for extension developers, this service displays ratings, reviews, and other store data. Crucially, it allows users to directly download the current and several previous versions of an extension, which simplifies incident investigation.

You can employ tools like CRX Viewer for a deeper analysis of suspicious or mission-critical extensions. This tool allows analysts to examine the extension’s internal components, conveniently filtering and displaying the contents with an emphasis on the HTML and JavaScript code.

Kaspersky official blog – ​Read More

Welcome to this week’s edition of the Threat Source newsletter. 

A year ago, fresh off a layoff, I never would have guessed I’d be spending Halloween weekend bouncing between conversations about space policy, satellite hacking, and wedding plans. That’s exactly what happened when my space analyst friend came to stay with us for a few days. Between coffee runs, getting sneak peeks of his upcoming book, and painting on skull makeup for a party, we found ourselves deep in discussions about putting data centers in space and, inevitably, the world of satellite cybersecurity. 

Somewhere within all of that, I realized I was on deck for the newsletter intro soon, and I did what any cyber newbie would do: I asked the nearest expert if there had ever been a well-known cyberattack on satellites. My friend didn’t even blink before answering, “KA-SAT.”

Some light research and a few Webex messages later, I was speaking with our own Joe Marshall — who, lucky for me, might be the only person at Cisco who’s been to satellite hacking training.

Joe walked me through how on Feb. 24, 2022, just hours before Russia’s invasion of Ukraine, a cyber attack targeted Viasat’s KA-SAT satellite network. The attackers exploited a vulnerability in a VPN appliance, gaining access to the network’s management systems. They then deployed a wiper malware called AcidRain, which was designed to erase data on modems and routers across Europe.

Satellite communications were disrupted for thousands of users in Ukraine, but surprisingly, beyond Ukraine’s borders, approximately 5,800 Enercon wind turbines in Germany lost connectivity for remote monitoring and control. 

One surprise from the conversation was the overlap between the AcidRain wiper and VPNFilter, which you may remember from Joe’s September newsletter. AcidRain may be VPNFilter’s successor. Take a look:

Identical, hinting at a shared compiler and other technical links, as SentinelOne’s blog details.

What followed this summary was a LOT of questions on my part. What was the VPN vulnerability? How did the wiper work, exactly? What are the pros and cons of replacing vs. fixing the modems, and what about the logistics of the winning decision? Ultimately, while the AcidRain attack was destructive, it was, in the context of what else was happening to Ukraine’s infrastructure, a blip.

As a newcomer to both cybersecurity and Talos, I keep discovering that there are always gaps in the story. I didn’t get all my questions answered because companies guard details, official statements leave out key information, and sometimes, even years later, we’re still piecing things together. Being okay with that is a tall order for people who scour logs looking for a needle in a stack of needles. But when attacks are raining down, customers aren’t asking you to send a flawless analysis. They want to know what you’redoing to keep them safe. 

So, as I write this, still with more questions than answers about AcidRain and the KA-SAT attacks, I’m learning to find peace in knowing that curiosity is the foundation for future expertise. Keep acquiring knowledge, asking questions (both basic and complex), and being okay with some uncertainty.

The one big thing 

Cisco Talos published a new blog today on the Kraken ransomware group. Linked to HelloKitty, they double-extort organizations globally with cross-platform attacks and use advanced techniques like encryption benchmarking and anti-analysis. Kraken has also launched a new underground forum to strengthen ties within the cybercrime community. 

Why do I care? 

Kraken’s advanced, cross-platform techniques — including encryption benchmarking and evasion methods — raise the threat level for organizations of all sizes, and may inspire similar advancements in future ransomware. Plus, their new secure underground forum may accelerate collaboration between threat actors, making robust, layered defenses and intelligence sharing among defenders even more critical. 

So now what? 

Prioritize patching known vulnerabilities (especially SMB), strengthen credential management, and implement comprehensive endpoint, network, and access security solutions. Continuous monitoring, incident response planning, and user awareness training are crucial to detect and contain threats early. 

Top security headlines of the week 

SAP fixes serious security issues – here’s how to stay safe 
A patch is now publicly available, and while SAP’s users were previously notified, the researchers are once again urging everyone to apply it as soon as possible since the risk is only going to get bigger going forward. (TechRadar) 

Phishing tool uses smart redirects to bypass detection 
A new phishing tool targeting Microsoft 365 users called Quantum Route Redirect simplifies what was once a technically complex campaign flow, as well as offers a uniquely evasive redirect feature that can bypass even robust email protections. (Dark Reading) 

Cisco finds open-weight AI models easy to exploit in long chats 
The report, titled Death by a Thousand Prompts: Open Model Vulnerability Analysis, analyzed eight leading open-weight language models and found that multi-turn attacks, where an attacker engages the model across multiple conversational steps, were up to ten times more effective than one-shot attempts. (HackRead) 

Nearly 30 alleged victims of Oracle EBS hack named on Cl0p ransomware site 
The Cl0p website lists major organizations such as Logitech, The Washington Post, Cox Enterprises, Pan American Silver, LKQ Corporation, and Copeland. (SecurityWeek) 

Kimsuky APT takes over South Korean Androids, abuses KakaoTalk 
One of North Korea’s formidable advanced persistent threat (APT) groups is targeting Android users in South Korea with a remote reset attack that exploits a feature in Google aimed at helping users find their devices. (Dark Reading) 

Can’t get enough Talos? 

The TTP: How Talos built an AI model into one of the internet’s most abused layers
Hazel talks with Talos researcher David Rodriguez about how adversaries use DNS tunneling to sneak data out of networks, why it’s so difficult to spot in real time, and how Talos built an AI model to detect it without breaking anything important (like the internet).

The 2026 Snort Calendar is now available 
Snorty will pose as a new mythical creature each month. To get your copy, fill out our short survey. Calendars will begin shipping in December 2025. U.S. shipping only, available while supplies last. 

Talos Takes: How attackers use your own tools against you 
From a wave of Toolshell events, to a rise in post-exploitation phishing, and the misuse of legitimate tools like Velociraptor, this quarter’s cases all point to a theme: attackers are getting very good at living off what’s already in your environment.

Do robots dream of secure networking? 
This blog demonstrates a proof of concept using LangChain and OpenAI, integrated with Cisco Umbrella API, to provide AI agents with real-time threat intelligence for evaluating domain dispositions.

Upcoming events where you can find Talos 

• DeepSec IDSC (Nov. 18 – 21) Vienna, Austria 
• AVAR (Dec. 3 – 5) Kuala Lumpur, Malaysia 

Most prevalent malware files from Talos telemetry over the past week 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe_1_Exe.exe  
Detection Name: Win.Worm.Coinminer::1201 

SHA256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610  
MD5: 85bbddc502f7b10871621fd460243fbc  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610  
Example Filename: 85bbddc502f7b10871621fd460243fbc.exe  
Detection Name: W32.41F14D86BC-100.SBX.TG 

SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974  
MD5: aac3165ece2959f39ff98334618d10d9  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974  
Example Filename: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974.exe  
Detection Name: W32.Injector:Gen.21ie.1201 

SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
MD5: 7bdbd180c081fa63ca94f9c22c457376  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe_3_Exe.exe  
Detection Name: Win.Dropper.Miner::95.sbx.tg 

SHA256: d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a  
MD5: 1f7e01a3355b52cbc92c908a61abf643  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a  
Example Filename: cleanup.bat  
Detection Name: W32.D933EC4AAF-90.SBX.TG 

SHA256: c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe  
MD5: bf9672ec85283fdf002d83662f0b08b7 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe  
Example Filename: f_003b6c.html  
Detection Name: W32.C0AD494457-95.SBX.TG 

Cisco Talos Blog – ​Read More

• In August 2025, Cisco Talos observed big-game hunting and double extortion attacks carried out by Kraken, a Russian-speaking group that has emerged from the remnants of the HelloKitty ransomware cartel.
• Talos observed in one intrusion that the Kraken actor exploited Server Message Block (SMB) vulnerabilities for initial access, then used tools like Cloudflared for persistence and SSH Filesystem (SSHFS) for data exfiltration before encryption. 
• Kraken is a cross-platform ransomware with distinct encryptors for Windows, Linux, and VMware ESXi, targeting a wide range of enterprise environments. 
• Kraken ransomware benchmarks a victim machine before starting the encryption process, a feature rarely seen in ransomware. 
• Talos also observed the announcement of a new underground forum, “The Last Haven Board,” on Kraken’s data leak blog, aimed at creating an anonymous and secure communication channel for the cybercrime underground. 

Who is Kraken? 

The Kraken ransomware group, which emerged in February 2025, employs a double extortion technique and appears to be opportunistic, as it has not concentrated on any specific business verticals. According to Kraken’s leak site, victims span various geographies, including the United States, the United Kingdom, Canada, Denmark, Panama, and Kuwait. 

Like other operators in the double extortion space, Kraken also operates a data leak site to disclose the stolen data of victims who do not meet their ransom demands. 

Kraken encrypts the victim’s environment, uses the .zpsc file extension for the encrypted files, and drops a ransom note titled “readme_you_ws_hacked.txt.” In the ransom note, the actor threatens the victims by stating that they have stolen and encrypted their confidential data. They instruct the victim to contact them using an onion URL to prevent posting to their leak site. 

 Talos observed in one of the instances that the actor demanded a ransom of around 1 million USD to be paid in Bitcoin to the actor’s wallet address. Kraken assures victims that after the successful payment, they will decrypt the environment and guarantee the non-disclosure of stolen data. 

Ties to HelloKitty 

Kraken, a Russian-speaking gang, is suspected to have emerged from the ashes of the HelloKitty ransomware cartel or to have been established by some of its former members, according to external reports. The title of the Kraken data leak site explicitly mentions the HelloKitty ransomware group name. Additionally, Talos has observed that Kraken and HelloKitty use the same ransom note filename, indicating a possible link between the two groups. 

In September 2025, the Kraken group announced a new underground forum called “The Last Haven Board” in their data leak blog. According to its description, Last Haven’s primary objective is to create an anonymous and secure environment for communication within the cybercrime underground. Talos observed that the Last Haven forum administrator announced support and collaboration from the HelloKitty team and WeaCorp, an exploit buyer organization, suggesting the possible involvement of HelloKitty operators with the Kraken group. 

Infection chain

In August 2025, Cisco Talos Incident Response (Talos IR) observed in one instance that the Kraken ransomware actor gained initial access to the victim’s machine by exploiting an existing vulnerability in the SMB service on servers exposed to the internet. Once they established their foothold on the victim’s machine, they extracted valid administrators’ and other privileged accounts’ credentials. Subsequently, they re-entered the victim environment through a Remote Desktop connection using the exfiltrated privileged account credentials. 

After re-entering the victim machine, the attacker established a persistent connection by installing the Cloudflared tool and configuring a reverse tunnel on the victim’s machine. Additionally, the attacker installed the SSHFS tool on the victim machine, utilizing it to navigate the victim’s environment and exfiltrate sensitive data. The attacker then deployed the Kraken ransomware binary and moved laterally to other machines connected to the infected machine through Remote Desktop Protocol (RDP) connections, using the stolen privileged user accounts to deploy the ransomware binaries. Through this persistent remote connection, the attacker executed commands to run the ransomware on multiple systems within the victim’s environment. 

Kraken ransomware analysis  

Kraken ransomware is a sophisticated ransomware family with variants that target Windows, Linux, and ESXi systems. This ransomware offers extensive command-line options, providing operational flexibility for the actors who utilize Kraken ransomware in their attacks. It has the capability for either full or partial encryption of targeted files, along with features that allow for the encryption of specific files, including SQL databases and network shares. 

To encrypt targeted files, Kraken ransomware employs RSA encryption algorithms with a key length of 4096 bits and ChaCha20 symmetric encryption. Additionally, the ransomware features encryption benchmarking capabilities to assess how quickly it can operate on the victim’s machine without causing system overload, ensuring maximum damage in minimal time while evading detection through resource exhaustion. 

Talos observed that the attacker executed the commands on Windows and ESXi environments to run the encryptor program. The Kraken encryptor is engineered with various command line arguments that the attacker could leverage depending on the victim’s environment. 

Commands for Windows machine: 

Encryptor[.]exe –key  -path  -timeout  -d\targeted>32-byte>

Commands for Linux/ESXi: 

chmod +x ./encryptor[.]elf && ./encryptor[.]elf –path  -d -timeout 

Kraken Windows encryptor  

The Windows version of Kraken ransomware is a 32-bit executable written in C++ and possibly obfuscated using a Golang-based packer. The ransomware exhibits features such as anti-reinfection checks, anti-analysis, and anti-recovery, and it encrypts the targeted files, appending the .zpsc file extension to the encrypted files. 

Initial execution phase 

In the initial phase of execution, Kraken processes the command line parameters and performs the anti-reinfection checks on the victim machine to avoid double-encryption. The actor has employed anti-reinfection checks to effectively manage the decryption keys.

Kraken ransomware disables the WoW64 filesystem redirection on the victim machine by using the function Wow64EnableWow64FsRedirection with the argument “ (False)” to enable the 32-bit binary to access the 64-bit files on Windows machine. 

WoW64 is a compatibility layer on a 64-bit Windows operating system that allows 32-bit applications to run seamlessly. The key feature of WoW64 is file system redirection, which ensures that when a 32-bit application attempts to access the “C:WindowsSystem32” folder, WoW64 redirects it to “C:WindowsSysWoW64”, allowing the 32-bit application to load the correct 32-bit version of system DLLs. 

Kraken ransomware, after disabling the WoW64 redirection, modifies its process token privilege, enabling the debugging rights. This privilege is essential for ransomware to access and encrypt files belonging to other processes. Further, the ransomware encrypts the local drives, network shares, and SQL database files and disables the backup services on the 64-bit Windows operating system. All these operations of the 32-bit ransomware binary would require access to the folder “C:WindowsSystem32”. Disabling the redirection in Wow64 will enable the 32-bit ransomware binary to access the “C:WindowsSystem32” folder on the 64-bit Windows operating system. 

Anti-analysis and anti-recovery techniques 

Kraken ransomware utilizes anti-analysis techniques to evade detection, complicate analysis, and prevent execution in sandbox environments. 

The ransomware employs extensive control flow obfuscation with multiple conditional loops throughout the code, concealing the actual control flow paths and increasing complexity for static analysis and pattern matching for signature generation. 

It also manipulates system exception handlers to prevent Windows error dialogs from appearing by executing SetErrorMode function with the value 0x8003 which is a bitwise OR combination of three Windows error mode flags: 

• SEM_FAILCRITICALERRORS (0x0001) – no critical error handler message box 
• SEM_NOGPFAULTERRORBOX (0x0002) – no general protection fault error box 
• SEM_NOOPENFILEERRORBOX (0x8000) – no open file error box 

It employs a sleep-based execution delay to evade sandbox analysis, stops the backup services, and executes the embedded command to remove all restore points on the victim machine. 

vssadmin delete shadows /all /quite 

It also deletes the recycle bin using the Windows function SHEmptyRecycleBinA.

Encryption performance testing and benchmarking   

Kraken ransomware has the ability to conduct performance testing on the victim’s machine before initiating the actual encryption. An actor can use this feature through command line options such as “-tests,” “-tempfile,” and “-tempsize” to assess the victim machine’s performance and optimize the ransomware encryption process.  

Kraken does this by first creating a temporary test file, using the path and filename specified via the “-tempfile” parameter. It then populates this file with random data, writing in 1MB chunks until the total size defined by the “-tempsize” parameter is reached. To time the core operation, the module records the start time with the clock_gettime function, performs the actual encryption on the test file, and then records the end time. Finally, it calculates the elapsed time and computes the encryption speed for the victim machine, expressed in MB/s, using the formula:  

Speed = ((total bytes / elapsed time) * 1000) / 1048576. 

Based on the throughput results, the function validates if the attacker should choose full encryption mode or partial encryption mode with the maximum file size chunks to encrypt. After the performance testing process, it removes the test file using the function unlink() .  

Parallel encryption operation  

The Kraken Windows encryptor has four encryption modules including SQL database, Network share, Local drive, and Hyper-V encryption. Based on the command-line flags provided by the attacker, the encryptor determines which encryption module to execute.  

The SQL database encryption module encrypts Microsoft SQL server databases. To target database files, the module accesses the Microsoft SQL Server registry keys on the victim machine, specifically querying “HKLMSOFTWAREMicrosoftMicrosoft SQL Server” and its “Instance NamesSQL” subkey to search for the “MSSQLSERVER” and “SQLEXPRESS” instances. Upon locating an instance, it retrieves the “SQLDataRoot” registry value to determine the path to the database files. The module then validates that these paths exist using the PathFileExistsWWindows API before proceeding to encrypt the database files.  

The network share encryption module enumerates and encrypts accessible network shares by using Windows WNet APIs to detect both mapped and unmapped network locations, specifying RESOURCETYPE_DISK and RESOURCETYPE_ANY. During enumeration, it iterates through the discovered network resources but explicitly skips the ADMIN$ and IPC$ shares. For each accessible network shares it finds, the module creates dedicated encryption worker threads to handle the encryption process. 

The local drive encryption module encrypts all locally attached drives by first using the GetLogicalDrives function to enumerate all available drive letters from A to Z. For each letter, it checks the drive type with the GetDriveTypeW function, targeting drives identified as DRIVE_REMOVABLE, DRIVE_FIXED, or DRIVE_REMOTE while excluding CD-ROM and network-only drives. After constructing the drive path (e.g., “X:”), it creates a dedicated encryption worker thread for each validated drive path. 

The Hyper-V virtual machine encryption module targets virtual machine files by executing a series of embedded PowerShell commands. First, it disables PowerShell restrictions on the victim machine to ensure its commands run. It then discovers the virtual machine files by listing all VMs and extracting their corresponding hard disk file paths. To unlock these files for encryption, the module forcefully stops all running virtual machines. After these prerequisite steps, it creates encryption worker threads to encrypt the located virtual machine files. The PowerShell commands executed by the module: 

powershell -c "Set-ExecutionPolicy bypass" 
powershell -c "get-vm | format-list" 
powershell -c "get-vm | Get-VMHardDiskDrive | ForEach-Object {$_.Path}" 
powershell -c "get-vm | stop-vm -force -turnoff" 

The ransomware excludes the executables (.exe) and dynamic-link library (.dll) files along with the folders “Program Files”, “Program Files (X86)”,  and “ProgramData” from the encryption processes on the victim machine, allowing the victims to still access the system to communicate with the threat actor. 

Kraken Linux/ESXi encryptor 

The Linux or ESXi version of the Kraken ransomware is 64-bit executable written in C++ and compiled using the tool crosstool-NG version 1.26.0.  

In the initial phase of the execution, the Linux executable file version of Kraken ransomware processes the command-line parameters specified by the attacker. 

Platform discovery 

The ransomware runs the platform detection module to discover the type of victim machine by executing the commands mentioned below and adapting the behavior based on the detected platform. 

While targeting the ESXi environments, the ransomware lists any running virtual machines and forcefully attempts to kill them by executing the following commands embedded in the ransomware binary: 

esxcli vm process list 
esxcli vm process kill --type=force --world-id=    

Encryption types  

The ELF version of Kraken ransomware performs the multi-threaded encryption, supporting both “solid – Full encryption” and “setp – partial encryption”. It also employs the encryption performance benchmarking module that an attacker can leverage during the attack to calculate the encryption speed and decide if they want to perform full or partial encryption. The performance benchmarking algorithm is like the Windows version of Kraken ransomware described in the previous section.  

It performs the recursive directory traversal and encrypts the file based on the type of encryption mode specified in the command line parameter by the attacker and appends the .zpsc file extension to the encrypted files.  

Anti-analysis and detection evasion  

The ELF version of Kraken ransomware employs control flow obfuscation with the complex loop structure to hinder the analysis and operates in daemon mode by forking into background process through fork_as_daemon() function and continues to run, performing the encryption in background. It also ignores the signal handlers SIGCHLD (child process termination) and SIGHUP (Terminal hangup).  

The ransomware employs a multi-stage self-deletion and cleanup process to erase traces of its execution, leaving a minimal forensic artefact, after completing the encryption operation. Kraken creates a bash script “_bye_bye_.sh” in the same directory as the ransomware binary. It then builds the script with the commands to delete the log files, shell history, ransomware binary, and the script itself. 

rm -f “/var/logs/*” 
rm -f “/.ash_history” 
rm -f “ransomware binary path” 
rm -f “delete the script _bye_bye_.sh" 

It executes the script using popen function popen(“sh ”<deletion_script_path>””,"r") which runs in a separate shell process, and the parent process can exit before the script finishes its execution which helps to delete itself before the completion of the execution.  

Coverage 

Ways our customers can detect and block this threat are listed below.  

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.  

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.  

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.  

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.  

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.  

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please  

contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.  

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.   

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.   

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.  

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.   

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

Snort SIDs for the threats are: 65480 and 65479. 

ClamAV detections are also available for this threat: 

• Win.Ransomware.Kraken-10056931-0 
• Unix.Ransomware.Kraken-10057031-0 

Indicators of compromise (IOCs) 

The IOCs can also be found in our GitHub repository here. 

Cisco Talos Blog – ​Read More