Back

Kyber Ransomware Targets Windows and VMware ESXi Systems

Severity: High (Score: 71.0)

Sources: www.rapid7.com, Socprime, Bleepingcomputer

Summary

The Kyber ransomware group has launched a coordinated attack targeting both Windows file servers and VMware ESXi systems. In March 2026, cybersecurity firm Rapid7 analyzed two variants of the ransomware deployed in the same environment, one for ESXi and the other for Windows. The ESXi variant is capable of encrypting datastore files, terminating virtual machines, and defacing management interfaces, while the Windows variant employs a hybrid encryption scheme involving post-quantum cryptography. Both variants share a common campaign ID and utilize Tor-based infrastructure for ransom demands. Rapid7 reported over 900 ransomware incidents in March 2026, highlighting the growing threat landscape. A notable victim identified is a multi-billion-dollar American defense contractor. The ransomware's encryption claims are misleading, as the ESXi variant primarily uses ChaCha8 and RSA-4096, while the Windows variant implements the advertised Kyber1024 scheme. Organizations are advised to enhance their defenses against these attacks. Key Points: • Kyber ransomware targets both Windows and VMware ESXi systems with dual-platform variants. • The ESXi variant encrypts datastore files and defaces management interfaces, while the Windows variant uses post-quantum encryption. • A multi-billion-dollar defense contractor has been identified as a victim of the Kyber ransomware attacks.

Key Entities

  • Ransomware (attack_type)
  • boomplay.com (domain)
  • index.crates.io (domain)
  • T1047 - Windows Management Instrumentation (mitre_attack)
  • T1059.001 - PowerShell (mitre_attack)
  • T1071 - Application Layer Protocol (mitre_attack)
  • T1486 - Data Encrypted for Impact (mitre_attack)
  • T1490 - Inhibit System Recovery (mitre_attack)
  • Hyper-V (platform)
  • Linux (platform)
  • VMware ESXi (platform)
  • Windows (platform)
  • Kyber (ransomware_group)
  • 45bff0df2c408b3f589aed984cc331b617021ecbea57171dac719b5f545f5e8d (sha256)
  • 4ed176edb75ae2114cda8cfb3f83ac2ecdc4476fa1ef30ad8c81a54c0a223a29 (sha256)
  • 6ccacb7567b6c0bd2ca8e68ff59d5ef21e8f47fc1af70d4d88a421f1fc5280fc (sha256)
  • Bcdedit (tool)
  • Esxcli (tool)
  • PowerShell (tool)
  • Reg (tool)
  • Vssadmin (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed