Operational Blackout: How Kyber Ransomware Targets the Heart of Virtualized Environments

Researchers at Rapid7 have uncovered Kyber, a specialized ransomware family that recently hit enterprise environments with a coordinated, dual-platform attack. Unlike common strains that focus on individual workstations, Kyber is designed to target the very heart of modern business: VMware ESXi virtualization and Windows file servers.

As Rapid7 warns in their latest analysis, organizations should treat this threat as more than just another malware strain: “Organizations should treat Kyber not merely as another ransomware strain, but as a specialized tool capable of causing a complete operational blackout.”

The Linux/ESXi variant of Kyber is a 64-bit ELF executable written in C++ and explicitly developed to “target ESXi environments”. It leverages native VMware tools, such as esxcli, to manage its destructive tasks.

The malware’s workflow is cold and calculated:

• Termination: If the vmkill flag is set, it enumerates all running virtual machines and shuts them down gracefully to ensure virtual disks (VMDKs) aren’t corrupted before they are encrypted.
• Defacement: In a bold psychological move, the ransomware “replaces the VMware web UI index pages” so that any administrator attempting to log in via the web management portal is met instantly with a ransom note.
• Persistent Encryption: It uses a “detach” flag to fork the process, allowing it to “run in the background” even after an SSH session is closed.

While the ESXi variant uses older C++ code, the Windows payload is a modern, 64-bit executable written in Rust. This variant brings “experimental” capabilities to target Hyper-V environments, mirroring its Linux counterpart’s focus on virtualization.

When running with elevated privileges, the Windows variant unlocks a “full toolkit” designed to thwart recovery:

• Anti-Recovery: It executes 11 specific commands via CreateProcessW to wipe Volume Shadow Copies (VSS), delete system state backups, and disable the Windows Recovery Environment.
• Process Hijacking: If a file is locked, the malware uses the Windows Restart Manager to identify and terminate the process holding it open.
• Visual Marking: It even registers a custom icon for encrypted files in the registry—deceptively named “Fucked file”—and refreshes the shell cache so the victim sees the damage immediately.

The name “Kyber” suggests a focus on post-quantum security, and the ransom notes for both variants claim to use the Kyber1024 algorithm. However, Rapid7’s analysis found a significant discrepancy between what the attackers promise and what they deliver. “As usual, ransom notes prove to be more aspirational than accurate.”

While the Windows variant does implement the advertised hybrid scheme, the ESXi variant is far less sophisticated. Technical analysis revealed that “the cipher is actually ChaCha8” with RSA-4096 key wrapping. It appears the operators simply “copy-pasted the ransom note from a Windows variant” for their Linux builds.

Kyber’s cross-platform approach, coupled with effective anti-recovery measures, drastically elevates the risk of a total operational disruption.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Do Son

Do Son (aka Ddos) is a seasoned news reporter, bringing over a decade of expertise to the forefront of cyber security and technology reporting. My work provides timely and insightful analysis of emerging trends and critical developments in these rapidly evolving sectors.