Kyber Ransomware Double Trouble: Windows and ESXi Attacks Explained

SOC Prime Team

Kyber Ransomware Double Trouble: Windows and ESXi Attacks Explained

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

Kyber is a cross-platform ransomware threat designed to encrypt data across both VMware ESXi systems and Windows file servers. The operators rely on native utilities such as esxcli, PowerShell, and vssadmin to shut down virtual machines, remove shadow copies, and distribute ransom notes across impacted environments. In March 2026, researchers recovered two related samples: an ELF binary targeting ESXi and a Rust-based PE file built for Windows. Both variants were linked through shared Tor-based infrastructure and a common campaign identifier.

Investigation

Rapid7 obtained both the ESXi and Windows payloads and conducted static analysis to better understand their behavior. The research showed that the malware uses custom encryption routines built around ChaCha8 with RSA-4096 key wrapping, while the Windows version also incorporates a hybrid Kyber1024 and AES-CTR encryption scheme. Investigators documented the targeted file extensions, ransom note placement, service termination behavior, and a distinctive mutex tied to a Boomplay URL.

Mitigation

Recommended defenses include hardening ESXi access by disabling SSH where possible and enforcing multi-factor authentication, while also restricting access to native utilities such as vssadmin, wmic, and reg. Organizations should secure backups through immutability and monitor closely for changes to VMware management files as well as the appearance of the .#~~~ file extension. Additional detections should focus on the identified mutex and the specific ransom note filenames associated with the campaign.

Response

If Kyber activity is detected, isolate the affected system immediately, preserve the malware samples, and begin recovery using immutable backups. Security teams should block access to the Tor hidden services tied to the campaign ID, remove the mutex, and delete any ransom note files dropped by the malware. A full forensic review should then examine service termination events, registry changes, and related system activity before rebuilding affected virtual machines or hosts from clean images.

"graph TB %% Class Definitions classDef action fill:#99ccff classDef tool fill:#cccccc classDef operator fill:#ff9900 %% Nodes u2013 Actions action_initial_access["Action – T1021.004 Remote Services: SSH Adversary gains initial access by SSH into ESXi hosts."] class action_initial_access action action_defacement["Action – T1564.012 Hide Artifacts: File Path Exclusions Replace /etc/motd and VMware web UI pages with a ransom note."] class action_defacement action action_vm_enum["Action – T1059.004 Unix Shell Use esxcli to enumerate virtual machines and softly terminate them."] class action_vm_enum action action_encryption["Action – T1486 Data Encrypted for Impact Encrypt datastore files using ChaCha8 on Linux or AESu2011CTR with Kyber1024 on Windows."] class action_encryption action action_anti_recovery["Action – Multiple Techniques Stop backup services (T1489 Service Stop), delete VSS snapshots (T1485 Data Destruction), disable recovery environment (T1490 Inhibit System Recovery), impair defenses (T1562)."] class action_anti_recovery action action_cleanup["Action – T1070.001 Indicator Removal: Clear Windows Event Logs Delete Windows event logs and remove execution artifacts."] class action_cleanup action %% Nodes u2013 Tools tool_ssh["Tool – Name: SSH Description: Secure shell protocol for remote command execution."] class tool_ssh tool tool_esxcli["Tool – Name: esxcli Description: ESXi commandu2011line utility for host and VM management."] class tool_esxcli tool tool_encryptor["Tool – Name: Custom Encryptor Description: Implements ChaCha8 and AESu2011CTR with Kyber1024 to encrypt files."] class tool_encryptor tool %% Flow Connections action_initial_access –>|uses| tool_ssh action_initial_access –>|leads_to| action_defacement action_defacement –>|uses| tool_ssh action_defacement –>|leads_to| action_vm_enum action_vm_enum –>|uses| tool_esxcli action_vm_enum –>|leads_to| action_encryption action_encryption –>|uses| tool_encryptor action_encryption –>|leads_to| action_anti_recovery action_anti_recovery –>|leads_to| action_cleanup "

Attack Flow

Attack Narrative & Commands:
The simulated attacker has obtained local administrator rights on the compromised host and wishes to prevent system recovery after encrypting files. Following Kyber ransomware behavior, the attacker first enumerates all existing Volume Shadow Copies via WMI and deletes each one using a PowerShell one‑liner. As a fallback (or to ensure completeness), the attacker also runs vssadmin.exe Delete Shadows /all /quiet. Both commands generate a CommandLine field that matches the Sigma rule exactly, causing an alert.

Regression Test Script:

# ----------------------------------------------
# Kyber‑style anti‑recovery simulation
# ----------------------------------------------

# 1. PowerShell VSS deletion (exact match)
$psCmd = 'powershell -ep bypass -nop -c "Get-WmiObject -Class Win32_ShadowCopy | ForEach-Object { $_.Delete() }"'
Write-Host "Executing PowerShell VSS deletion..."
Invoke-Expression $psCmd

# 2. vssadmin deletion (exact match)
$vssCmd = 'vssadmin.exe Delete Shadows /all /quiet'
Write-Host "Executing vssadmin deletion..."
& $vssCmd

Write-Host "Simulation complete."

Cleanup Commands:

# No persistent artifacts created by this script.
# Reset PowerShell execution policy to its original state if modified:
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Restricted -Force
Write-Host "Cleanup finished."

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free