Breach Monitoring News Feed

Kraken leak blog (hellokitty) Kraken is a ransomware family first observed in August 2018 as a Ransomware-as-a-Service (RaaS) operation promoted on underground forums. The malware encrypts files with AES encryption (keys protected with RSA) and appends the .kraken extension to encrypted files. Early versions distributed by affiliates were bundled with Azorult spyware, enabling credential and cryptocurrency wallet theft before encryption. Kraken’s operators enforced strict rules for affiliates, including geographic restrictions on attacks, and provided customizable ransom notes and payment portals. Victims were instructed to pay in Bitcoin via Tor-hosted sites. Distribution methods included malicious email attachments, compromised RDP services, and downloads from malicious or compromised websites. Although its activity declined significantly after late 2018, Kraken remains notable for its hybrid model of ransomware deployment combined with credential theft.

Kuiper is a relatively new ransomware strain first analyzed in April 2023, notable for being written in Rust and designed to target multiple platforms, including Windows, Linux, and ESXi environments. The ransomware encrypts files with ChaCha20 symmetric encryption, securing keys with Curve25519, and appends the .kuiper extension to affected files. Kuiper operates under a double-extortion model, exfiltrating data before encryption and threatening to leak it on a Tor-hosted site if the ransom is not paid. Initial infection vectors are not widely documented, but analysis suggests potential use of compromised credentials, phishing, or exploitation of exposed services. The ransomware contains evasion techniques such as process termination, shadow copy deletion, and targeting of backup files to hinder recovery. Public reporting on Kuiper remains limited, indicating it may be in an early operational stage or used by a small number of actors.

Lapsus$ is a cyber extortion group first observed in late 2021, known for high-profile breaches and data theft campaigns against major global companies rather than traditional ransomware encryption. The group primarily focuses on data exfiltration and public leak threats without encrypting victim systems. Lapsus$ uses a combination of social engineering, SIM swapping, MFA fatigue attacks, and purchasing access from insiders or access brokers to infiltrate corporate networks. Their victim list includes Microsoft, Okta, NVIDIA, Samsung, Uber, and telecom operators, with operations targeting multiple regions worldwide. Once inside, Lapsus$ actors exfiltrate source code, proprietary data, and customer information, often leaking samples to pressure victims into negotiation. The group is known for a brash and public-facing style, communicating directly with followers on Telegram channels and occasionally mocking victims. Several members, including minors, have been arrested in the UK, but the group’s activities have persisted in some form.

Affiliates: @Mr.C @Empathy @jayze @Widow @Memory