EXECUTIVE SUMMARY
A highly specialised threat actor has developed a dual-platform ransomware campaign, targeting mission-critical virtualization infrastructure and core Windows file systems in a coordinated effort to cause significant operational disruption. This cross-platform approach, coupled with effective anti-recovery measures, elevates the risk of a total operational blackout. The attackers' primary goal appears to be data theft, with the added pressure of a ransom demand to further exacerbate the disruption. Recent real-world incidents have demonstrated the large-scale operational impact that Kyber can cause across enterprise environments. As a result, organisations should treat Kyber not merely as another ransomware strain, but as a highly effective tool capable of causing a complete operational blackout.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
A highly specialised threat actor has developed a dual-platform ransomware campaign, targeting mission-critical virtualization infrastructure and core Windows file systems in a coordinated effort to cause significant operational disruption. This cross-platform approach, coupled with effective anti-recovery measures, elevates the risk of a total operational blackout. The attackers' primary goal appears to be data theft, with the added pressure of a ransom demand to further exacerbate the disruption. Recent real-world incidents have demonstrated the large-scale operational impact that Kyber can cause across enterprise environments. As a result, organisations should treat Kyber not merely as another ransomware strain, but as a highly effective tool capable of causing a complete operational blackout.[emaillocker id="1283"]
The malware infects systems through SSH access to ESXi hosts, leveraging native tooling like esxcli to target VMware-specific paths and artifacts. Once inside, the malware uses a recursive directory walk to identify targets, dropping a ransom note into every folder before the encryption routine begins. The ransomware's encryption logic is straightforward, using ChaCha8 to encrypt files, with AES-256-CTR used for bulk data encryption. The attackers use a custom entropy pipeline to ensure key quality, and the Windows variant executes 11 distinct commands to impair defenses, including VSS deletion and log clearing. To prevent recovery, the malware wipes shadow copies and modifies the registry.
The Kyber ransomware campaign is significant for organisations due to its potential to cause total operational disruption. The attackers' use of native tooling like esxcli and vssadmin, combined with their custom entropy pipeline, makes detection challenging. Organisations should focus on hardening virtualization infrastructure, implementing least-privilege access for ESXi shell and SSH, and enforcing multi-factor authentication on all management interfaces and accounts. Additionally, they should monitor esxcli execution for VM termination or configuration changes, and prevent anti-recovery by restricting execution and protecting backups. Detection focus should be on lateral movement and defacement, with analysts incorporating IOCs and file extensions into their detection rules.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Reconnaissance | T1592 | Non-Technical Spearphishing | — |
| Resource Development | T1583 | Acquire Infrastructure | — |
| Initial Access | T1190 | Exploit Public-Facing Application | — |
| Initial Access | T1133 | External Remote Services | — |
| Execution | T1204 | User Execution | — |
| Execution | T1059 | Command and Scripting Interpreter | — |
| Execution | T1106 | Native API | — |
| Defense Evasion | T1027 | Obfuscated Files or Information | — |
| Defense Evasion | T1070 | Indicator Removal | — |
| Defense Evasion | T1112 | Modify Registry | — |
| Defense Evasion | T1564 | Hide Artifacts | — |
| Defense Evasion | T1497 | Virtualization/Sandbox Evasion | — |
| Credential Access | T1003 | OS Credential Dumping | — |
| Credential Access | T1555 | Credentials from Password Stores | — |
| Credential Access | T1552 | Unsecured Credentials | — |
| Credential Access | T1558 | Steal or Forge Kerberos Tickets | — |
| Lateral Movement | T1021 | Remote Services | — |
| Collection | T1005 | Data from Local System | — |
| Command and Control | T1105 | Ingress Tool Transfer | — |
| Command and Control | T1102 | Web Service | — |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
REFERENCES:
reports contain further technical details:
https://securityonline.info/kyber-ransomware-vmware-esxi-windows-analysis/
https://www.rapid7.com/blog/post/tr-kyber-ransomware-double-trouble-windows-esxi-attacks-explained/