Full Report
During a March 2026 incident response engagement, Rapid7 recovered two Kyber ransomware payloads deployed in the same environment, one targeting VMware ESXi infrastructure and the other Windows file servers. This provided a rare opportunity to analyze both variants side by side. In March 2026, Rapid7 recorded over 900 ransomware incidents being publicly reported. The ESXi variant is specifically built for VMware environments, with capabilities for datastore encryption, optional virtual machine termination, and defacement of management interfaces. The Windows variant, written in Rust, includes a self-described “experimental” feature for targeting Hyper-V. Despite these differences, both samples share a campaign identifier and Tor-based ransom infrastructure, confirming coordinated cross-platform deployment. Notably, the ransomware’s cryptographic claims are not consistent across variants. The ESXi sample advertises “post-quantum” encryption using Kyber1024, but in practice relies on ChaCha8 with RSA-4096 key wrapping, while the Windows variant does implement the advertised hybrid scheme. As usual, ransom notes prove to be more aspirational than accurate.
Analysis Summary
# Incident Report: Kyber Ransomware Coordinated Cross-Platform Attack
## Executive Summary
In March 2026, a coordinated ransomware attack utilizing two distinct variants of the "Kyber" ransomware targeted an organization's VMware ESXi infrastructure and Windows file servers simultaneously. The attack resulted in the encryption of mission-critical virtualization datastores and core file systems, utilizing ESXi-native tools and Rust-based Windows malware. Rapid7’s intervention confirmed a unified campaign linked by shared Tor infrastructure and a common campaign identifier.
## Incident Details
- **Discovery Date:** March 2026
- **Incident Date:** March 2026
- **Affected Organization:** Not disclosed
- **Sector:** Not disclosed
- **Geography:** Global (targeting enterprise virtualization)
## Timeline of Events
### Initial Access
- **Date/Time:** March 2026
- **Vector:** Likely compromised credentials or exploitation of remote services (SSH/RDP).
- **Details:** Attackers gained access to the environment and deployed two specialized payloads: a 64-bit ELF executable for ESXi and a Rust-based PE executable for Windows.
### Lateral Movement
- **Details:** The threat actors moved from initial entry points to core infrastructure, specifically targeting the `/vmfs/volumes` directory on ESXi hosts and Windows domain file servers.
### Data Exfiltration/Impact
- **Operational Impact:** Large-scale disruption via the encryption of VMFS datastores and Windows file shares.
- **Data Destruction:** Deletion of Windows Shadow Copies and disabling of recovery environments to prevent restoration.
- **Defacement:** The ESXi variant included capabilities to deface management interfaces.
### Detection & Response
- **Discovery:** Detected during active encryption activities in March 2026.
- **Response Actions:** Rapid7 incident responders recovered the payloads for side-by-side analysis, identifying the disconnect between the "post-quantum" marketing claims and actual cryptographic implementation.
## Attack Methodology
- **Initial Access:** Abuse of Remote Services (SSH/RDP).
- **Persistence:** Background execution on ESXi via forking processes and `setsid()` to survive session termination.
- **Defense Evasion:** Clearing Windows Event Logs via `wevtutil`; disabling Windows Recovery Environment and boot failure prompts.
- **Discovery:** Use of `esxcli vm process list` (ESXi) and `Get-VM` via PowerShell (Windows/Hyper-V) to identify targets.
- **Lateral Movement:** SSH for ESXi host interaction.
- **Impact:** Data encryption (ChaCha8/RSA-4096 on ESXi; AES-256-CTR/Kyber1024 on Windows); termination of VMs and database services.
## Impact Assessment
- **Financial:** High (potential ransom demands and recovery costs).
- **Data Breach:** Compromise of enterprise-wide virtual machines and file servers.
- **Operational:** Total operational blackout due to simultaneous loss of virtualization and file services.
- **Reputational:** High risk if data is leaked via the identified Tor leak site.
## Indicators of Compromise
- **File Indicators (SHA-256):**
- `6ccacb7567b6c0bd2ca8e68ff59d5ef21e8f47fc1af70d4d88a421f1fc5280fc` (ESXi)
- `45bff0df2c408b3f589aed984cc331b617021ecbea57171dac719b5f545f5e8d` (Windows)
- **Behavioral Indicators:**
- File Extension: `.xhsyw` (ESXi) and `.#~~~` (Windows)
- Mutex: `boomplay[.]com/songs/182988982`
- Network: Connections to `mlnmlnnrdhcaddwll4zqvfd2vyqsgtgj473gjoehwna2v4sizdukheyd[.]onion`
- **Ransom Notes:** `readme.txt` and `READ_ME_NOW.txt`
## Response Actions
- **Containment:** Isolation of affected ESXi hosts and Windows servers to prevent further encryption spread.
- **Eradication:** Removal of the Kyber binaries and termination of the backgrounded malicious processes.
- **Recovery:** Restoration of datastores from offline/immutable backups (where not destroyed by `vssadmin` or `esxcli` commands).
## Lessons Learned
- **Sophistication vs. Effectiveness:** Attackers do not need zero-days; abusing native administrative tools (`esxcli`, `vssadmin`) remains highly effective.
- **Aspirational Claims:** Threat actors often lie about cryptographic strength (e.g., claiming Kyber1024 post-quantum encryption on ESXi when actually using ChaCha8) to pressure victims.
- **Cross-Platform Readiness:** Modern ransomware campaigns are increasingly platform-agnostic, requiring unified security monitoring across Linux and Windows.
## Recommendations
- **Harden ESXi Interfaces:** Restrict SSH access to ESXi hosts; use Lockdown Mode and multi-factor authentication.
- **Immutable Backups:** Ensure backups are stored in a segmented environment that cannot be reached via standard administrative credentials.
- **Monitor Native Tools:** Alert on suspicious use of `vssadmin.exe`, `wevtutil.exe`, and `esxcli` commands associated with mass VM termination or log clearing.
- **Endpoint Detection:** Deploy EDR/XDR solutions capable of detecting Rust-based binaries and unusual file-system entropy changes.