← CIO Briefings · High Impact ACTION REQUIRED

Kyber Ransomware Targets Enterprise Windows Servers and VMware ESXi in Coordinated Dual-Platform Attacks

A new ransomware operation named Kyber has been analysed by Rapid7 following an enterprise incident response engagement. The group deploys two simultaneous variants — one targeting Windows file servers, one targeting VMware ESXi — using the same campaign infrastructure. The ESXi variant terminates virtual machines and defaces the management interface; the Windows variant implements genuine post-quantum key encapsulation and includes experimental Hyper-V targeting.

3 min read

What Happened

A new ransomware operation called Kyber has emerged, deploying simultaneous attack variants against Windows servers and VMware ESXi hypervisors in the same enterprise networks. Rapid7’s incident response team first encountered and analysed both variants following an enterprise compromise in March 2026.

The operation’s defining characteristic is its dual-platform approach: a single affiliate deploys both the Windows and ESXi encryptors simultaneously using shared campaign infrastructure. This prevents victim organisations from using one infrastructure layer to recover the other — if both Windows file servers and the ESXi hypervisors hosting virtual servers are encrypted at the same time, recovery options narrow significantly.

The ESXi variant terminates running virtual machines before encrypting datastores and defaces the ESXi management web interface with a ransom note, slowing administrators’ ability to assess and respond to the attack. The Windows variant, written in Rust, implements Kyber1024 post-quantum key encapsulation — the first ransomware variant with confirmed genuine post-quantum key protection — alongside experimental Hyper-V targeting capability.

Business Impact

Dual-platform ransomware targeting both Windows servers and VMware ESXi in simultaneous attacks maximises the blast radius of a single affiliate operation:

  • VMware ESXi compromise disables all hosted VMs simultaneously: Encrypting VMware datastores takes all virtual machines running on the affected host offline at once, making the per-VM blast radius of the ESXi attack far larger than an equivalent Windows-only campaign
  • Hyper-V targeting extends risk to Microsoft virtualisation environments: Organisations that have moved from VMware to Hyper-V following Broadcom’s pricing changes face the same hypervisor-layer risk from the Windows variant’s experimental Hyper-V module
  • Post-quantum key encapsulation eliminates “wait for quantum decryption” recovery option: Organisations that historically retained encrypted backup copies in the hope of future quantum-assisted key recovery cannot apply that strategy to Windows files encrypted by Kyber’s Kyber1024 implementation
  • Simultaneous multi-layer encryption delays recovery: When Windows file servers and ESXi hosts are encrypted in the same attack window, recovery from backup requires rebuilding both layers simultaneously, extending recovery time objectives

Board-Ready Summary

A new ransomware group has developed the capability to encrypt your Windows file servers and your VMware virtual infrastructure at the same time, in the same attack. If both layers are hit simultaneously, your recovery timeline roughly doubles compared to a single-platform attack. This group has already been confirmed in real enterprise incidents. Hypervisor infrastructure security controls — particularly backup isolation and management interface access controls — are the key defences.

Immediate — within 24 hours:

  1. Verify that ESXi management interfaces (port 443) are restricted to dedicated administrative jump hosts — not accessible from general internal network segments or workstations
  2. Confirm that backup infrastructure for both Windows and ESXi environments is network-isolated from production environments — backup systems accessible from compromised hosts are primary ransomware targets

Within 48 hours: 3. Test ESXi backup restoration procedures: verify that at least one recent snapshot or backup can be restored to a clean host independently of the primary ESXi infrastructure 4. Assess Hyper-V environments with the same controls applied to ESXi — management interfaces should not be reachable from workstation segments

Ongoing: 5. Review virtualisation infrastructure access controls: domain accounts with ESXi/vCenter admin rights should be distinct from standard Windows domain accounts, using privileged access workstations or just-in-time access mechanisms 6. Update incident response playbooks to include simultaneous Windows + hypervisor compromise scenarios — recovery plan sequencing should account for the possibility that both layers require rebuilding concurrently