Kyber Ransomware Analysis: VMware ESXi and Windows File Servers

Cybersecurity firm Rapid7 retrieved and analyzed two distinct Kyber variants in March 2026 during an incident response. Both variants were deployed on the same network, with one targeting VMware ESXi and the other focusing on Windows file servers. https://lnkd.in/ghAZKpuX

A new ransomware operation called Kyber is attacking Windows servers and VMware ESXi virtualisation systems — the software that runs multiple servers inside one physical machine. One variant claims to use post-quantum encryption (a new standard designed to resist future supercomputer attacks), though researchers found the claim is partly false. The only confirmed victim so far is a multi-billion-dollar American defence contractor. Both variants are designed to destroy every recovery path: deleting backups, wiping shadow copies (Windows automatic restore points), and disabling repair tools before demanding payment. 💀 #CyberNewsLive https://lnkd.in/gx2ydVRj

Kyber Ransomware Experiments with Post‑Quantum Encryption Overview A new Kyber ransomware campaign is targeting both Windows systems and VMware ESXi endpoints, with one variant experimenting with Kyber1024 post‑quantum encryption. Rapid7’s analysis in March 2026 revealed two distinct variants deployed simultaneously on the same victim network, suggesting the operator aimed to maximize impact by encrypting all servers at once. Key Highlights Targets: ESXi Variant…...

Kyber ransomware gang toys with post-quantum encryption on Windows. Cybersecurity firm Rapid7 retrieved and analyzed two distinct Kyber variants in March 2026 during an incident response. Both variants were deployed on the same network, with one targeting VMware ESXi and the other focusing on Windows file servers. https://lnkd.in/duASandA

Kyber ransomware now targets both Windows and ESXi, raising the risk of full operational shutdowns. Analysis found shared attacker infrastructure, while the ESXi sample overstates its post-quantum encryption claims. https://lnkd.in/eV3mBjUW

A new #Kyber #ransomware operation is targeting Windows systems and VMware ESXi endpoints in recent attacks, with one variant implementing Kyber1024 post-quantum encryption. #Cybersecurity firm Rapid7 retrieved and analyzed two distinct Kyber variants in March 2026 during an incident response. Both variants were deployed on the same network, with one targeting VMware #ESXi and the other focusing on Windows file servers. "The ESXi variant is specifically built for #VMware environments, with capabilities for datastore encryption, optional virtual machine termination, and defacement of management interfaces," explains #Rapid7. "The Windows variant, written in Rust, includes a self-described "experimental" feature for targeting Hyper-V." #news #BleepingComputer #InfoSec #InformationSecurity #PostQuantumCryptography https://lnkd.in/gs7f4m7Q

Kyber ransomware targets both VMware ESXi datastores and Windows file systems with shared Tor infrastructure, advanced encryption, and destructive anti-recovery features. Dual-platform threat evolves fast. #KyberRansomware #VMwareESXi #DataEncryption ➡️ https://ift.tt/RAK9FMh

A new Kyber ransomware operation is targeting Windows systems and VMware ESXi endpoints in recent attacks, with one variant implementing Kyber1024 post-quantum encryption. Cybersecurity firm Rapid7 retrieved and analyzed two distinct Kyber variants in March 2026 during an incident response. Both variants were deployed on the same network, with one targeting VMware ESXi and the other focusing on Windows file servers. "The ESXi variant is specifically built for VMware environments, with capabilities for datastore encryption, optional virtual machine termination, and defacement of management interfaces," explains Rapid7. https://lnkd.in/etv7-ePp #staycurious #stayinformed #noble1 #tomshaw TOM SHAW

Long lived, static credentials, that aren't in a TPM/HSM... shouldn't exist. There shouldn't be a reason for Hashicorp Vault to keep existing. APIs shouldn't be doing this anymore. Axios postmortem: https://lnkd.in/gKBMhBau / https://lnkd.in/gh8wtaRM (TL;DR; someone cloned an entire company, started a call, and a pop-up looked like their client software was out of date, installing a RAT on the machine) (Have you set up a YubiKey SSH key?) #CyberSecurity #BlueTeam #SupplyChain #SLSA

Kyber ransomware is now attacking two systems at once — the virtualisation infrastructure that runs entire company networks, and the Windows file servers holding business data. The attack is engineered for total operational shutdown: virtual machines are killed, datastores encrypted, and every backup and recovery option wiped before ransom demands appear. One in three ransomware attacks now involves a SonicWall device as the entry point. The payroll systems, medical records, and financial data your employer holds are increasingly running on exactly the infrastructure Kyber is designed to destroy completely. 💀 #CyberNewsLive https://lnkd.in/etF28bAA