Kyber Ransomware Targets Both Windows and VMware ESXi in Coordinated Cross-Platform Attacks
Rapid7 has analyzed Kyber ransomware, a new cross-platform family that simultaneously encrypts VMware ESXi datastores and Windows systems using distinct cryptographic implementations.
Rapid7 has published a detailed technical analysis of Kyber ransomware, a new cross-platform threat family that simultaneously targets both VMware ESXi hypervisors and Windows systems. During a March 2026 incident response engagement, Rapid7 recovered two distinct Kyber payloads deployed in the same environment, providing a rare side-by-side view of the malware's dual-platform capabilities. The discovery comes as Rapid7 recorded over 900 ransomware incidents publicly reported in March 2026 alone, underscoring the escalating threat landscape.
The ESXi variant, written in C++ and statically linked against OpenSSL 1.0.1e-fips, is specifically designed to encrypt VMware datastores located at /vmfs/volumes. It uses ChaCha8 stream cipher with RSA-4096 key wrapping for encryption, despite its ransom note claiming a post-quantum hybrid scheme involving Kyber1024. The malware can optionally enumerate and terminate running virtual machines using the native esxcli command, with a whitelist feature to skip specified VMs. It also implements a detach flag that forks the process and calls setsid() to continue encryption in the background after an SSH session ends.
The Windows variant, written in Rust and compiled with MSVC 19.36, implements the advertised hybrid encryption scheme using AES-256-CTR combined with Kyber1024 and X25519 for key exchange. It includes an experimental feature for targeting Hyper-V virtual machines via PowerShell's Get-VM cmdlet. The Windows variant also executes 11 anti-recovery commands, including vssadmin delete shadows and bcdedit to disable boot recovery options, significantly complicating restoration efforts.
Despite their different implementations, both variants share a common campaign ID (5176REDACTED) and Tor-based infrastructure, including a negotiation portal and a leak site. This confirms that the attacks are coordinated operations rather than independent incidents. The shared infrastructure allows the threat actors to manage ransom negotiations and data leaks from a single command-and-control framework.
Rapid7's analysis highlights several notable technical details. The ESXi variant's use of fork/execlp instead of system() for executing commands suggests the developer is familiar with low-level system programming, as this approach bypasses the shell entirely and avoids issues with special characters in VM names. The use of type=soft for VM termination requests a graceful shutdown rather than forced termination, potentially allowing the malware to avoid triggering immediate alarms.
The emergence of Kyber ransomware represents a significant threat to organizations relying on virtualized infrastructure. Its ability to simultaneously encrypt both ESXi datastores and Windows file servers can cause complete operational blackouts, as critical virtual machines and their underlying storage are both compromised. The cross-platform approach also complicates incident response, as recovery requires addressing both Linux/ESXi and Windows environments simultaneously.
Organizations should prioritize securing their VMware ESXi management interfaces, implementing strict access controls, and maintaining offline backups of both virtual machine images and critical Windows data. The use of different cryptographic implementations across variants also means that decryption tools developed for one platform may not work on the other, further complicating recovery efforts.