The mental image most people carry of a ransomware attack involves chaos. Screens going dark, files disappearing, a ransom note appearing where your desktop used to be. That image is becoming outdated. A newly exposed ransomware campaign called Kraken is operating with a level of patience and calculation that should fundamentally change how you think about this threat.
Cisco Talos researchers just published findings that reveal something the cybersecurity community hasn’t seen quite like this before. Before Kraken encrypts a single file that matters, it runs a secret performance benchmark on your system to figure out exactly how hard it can hit you without getting caught.
The Burglar Who Times Himself First
The best way to understand what Kraken does is to picture a burglar who doesn’t just walk into your office and start grabbing things. Instead, he walks in quietly, finds a filing cabinet, empties it as fast as he can, checks his watch, puts everything back, and leaves. No one noticed. Nothing is missing. But now he knows exactly how fast he can work in your specific building before someone is likely to hear him.
That’s the Kraken benchmark process translated into plain language.
When Kraken infects a machine, the first thing it does is create a random junk file, encrypt it as quickly as possible, record how long that took, and then delete the evidence. The whole process leaves no trace of what just happened. But the attacker now has a precise measurement of your system’s encryption speed and capacity.
What happens next depends entirely on what that benchmark reveals.
If your system is fast and powerful, Kraken escalates to a full encryption attack, locking down as much data as possible before anyone can respond. If your system is slower, the malware shifts to partial encryption, corrupting files just enough to make them unusable while keeping CPU usage low enough that nothing triggers an alert. The destruction gets personalized based on the data the malware collected from your own infrastructure.
Why Staying Hidden Is the Whole Strategy
Older ransomware strains had a visibility problem from the attacker’s perspective. The moment they started encrypting files aggressively, CPU usage spiked, cooling fans ran at maximum speed, system performance degraded noticeably, and endpoint security tools started firing alerts. The attack announced itself, which gave defenders a window to respond, isolate affected systems, and potentially limit the damage.
Kraken’s benchmark approach closes that window deliberately.
By calibrating the encryption intensity to what your system can handle without triggering performance alerts, the malware extends its operational window significantly. Partial encryption places far less strain on processing power and storage than full encryption. That means the attack can unfold over a longer period, potentially spreading to additional systems across your network before anyone realizes something is wrong.
The files that get partially encrypted present their own recovery challenge. They’re not obviously destroyed in the way that fully encrypted files are. They’re corrupted just enough to be unusable, which can create confusion about the actual scope of the incident. Determining which files are affected, which are intact, and which fall somewhere in between complicates the recovery process considerably.
The sophistication here isn’t accidental. Attackers have learned that the most successful ransomware campaigns are the ones that give defenders the least time and information to work with. Kraken’s benchmark system is purpose-built to maximize that advantage.
This Is Not Just an Enterprise Problem
It’s worth addressing directly the assumption that attacks this sophisticated are aimed at large corporations with complex infrastructure and high-value data. That assumption has always been partially wrong, and with Kraken, it’s more wrong than ever.
The benchmark approach actually makes smaller businesses more attractive targets in certain respects. Smaller organizations typically have less mature endpoint detection, fewer security staff monitoring alerts, and simpler network environments that are easier to move through once an initial foothold is established. The benchmark helps attackers calibrate their approach for whatever system they’ve landed on, which means the technique is as effective against a twenty-person company as it is against a twenty-thousand-person enterprise.
If your current security posture relies primarily on noticing unusual system behavior, Kraken is specifically engineered to defeat that approach. The behavioral signals that would normally tip off an attacker’s presence have been deliberately suppressed through the benchmarking process.
Building Defenses That Account for This
Staying ahead of a threat this calculated requires moving beyond reactive detection toward proactive architecture that limits what attackers can do even after they’ve gained initial access.
Deploy behavioral detection that watches for benchmark activity specifically. Modern next-generation endpoint tools are built to flag the kind of sudden encryption burst that Kraken’s benchmark creates, even on a junk file that gets deleted immediately afterward. The benchmark leaves a behavioral footprint even when it leaves no file evidence. Make sure your endpoint protection is configured to look for it.
Restrict local administrator privileges aggressively. Kraken needs elevated privileges to run its benchmark cleanly and execute its encryption payload effectively. Employees who don’t need administrator access for their daily work shouldn’t have it. Limiting privilege reduces the blast radius of any initial compromise and forces attackers to take additional steps that create additional detection opportunities.
Treat patching as a time-sensitive operational priority, not a maintenance task. Ransomware campaigns consistently exploit known vulnerabilities that patches have already addressed. The window between a patch becoming available and an attacker exploiting the unpatched vulnerability is shrinking. Organizations that treat patching as something to get around to are actually deciding acceptable risk, often without realizing it.
Segment your network so one compromised device cannot become a network-wide incident. If Kraken lands on a single workstation in a properly segmented environment, its ability to spread laterally to servers, backup systems, and other endpoints is constrained. Segmentation doesn’t prevent the initial infection, but it contains the consequences in ways that make recovery dramatically more manageable.
Maintain offline, immutable backups that ransomware cannot reach. This is the single most important recovery capability any organization can have. Backups that are connected to the network are potentially reachable by ransomware. Backups that are offline and immutable cannot be encrypted or deleted by malware operating on network-connected systems. The ability to restore from clean backups transforms a ransomware incident from an existential crisis into a serious but survivable operational problem.
The Shift in How Ransomware Operates
Kraken represents something worth paying attention to beyond the specific technical details of this particular campaign. It reflects a broader maturation in how ransomware groups approach their operations.
The noisy, chaotic ransomware attacks of earlier years were effective but inefficient. They triggered responses quickly, which sometimes allowed defenders to limit damage. They burned through the attacker’s access before maximum value could be extracted. They were blunt instruments.
What’s emerging now is more deliberate. Attackers are investing in reconnaissance, calibration, and stealth. They’re making data-driven decisions about how to maximize damage while minimizing detection probability. The benchmark approach Kraken uses is a logical extension of that evolution, bringing the same analytical thinking to encryption strategy that sophisticated attackers have long applied to initial access and lateral movement.
This trajectory points toward ransomware that gets progressively harder to detect through conventional behavioral monitoring. The defenses that work against today’s threats need to be in place before tomorrow’s variants arrive, because the window to implement them after an infection is essentially zero.
Your Network Is Being Measured
The Kraken campaign makes something uncomfortably explicit that has always been true in a general sense. When a sophisticated attacker gains access to your environment, they are gathering information and making decisions. Your systems are being evaluated. The results of that evaluation shape what happens next.
The only position that’s genuinely safe is one where attackers never get the chance to run that evaluation. Layered defenses, restricted privileges, behavioral monitoring, network segmentation, and immutable backups work together to either prevent initial access or limit what an attacker can accomplish after achieving it.
Ransomware is no longer announcing itself with fireworks. It’s arriving quietly, taking careful measurements, and making calculated decisions about how hard to hit you. The response to that reality isn’t panic. It’s preparation, and the time to prepare is before the benchmark runs.
