Kyber Ransomware: Dual-Platform Encryption targeting Windows and ESXi — Detection and Response

The emergence of the Kyber ransomware strain marks a dangerous evolution in adversarial capabilities. Based on our analysis of recent real-world incidents, including a critical engagement in March 2026, Kyber is not merely another encryption variant; it is a specialized, dual-platform tool designed to inflict maximum operational pain. By simultaneously targeting mission-critical VMware ESXi virtualization infrastructure and core Windows file systems, the actors behind Kyer aim to engineer a complete operational blackout.

For defenders, the urgency is absolute. The integration of effective anti-recovery measures means that traditional "restore from backup" strategies may fail if backups are connected or not immutable. If you manage a heterogeneous environment spanning Windows endpoints and VMware hypervisors, you are in the crosshairs. This post dissects the Kyber attack chain and provides the necessary detection and remediation guidance to protect your infrastructure.

Technical Analysis

Kyber represents a convergence of threat vectors, previously handled by separate codebases, into a unified operational framework.

• Affected Platforms:

  • Microsoft Windows: Client and Server operating systems (NTFS file systems).
  • VMware ESXi: Hypervisors managing VMFS datastores.

• Attack Vector & Mechanism:

  • Initial Access: While the initial vector varies (often phishing or compromised credentials), the lateral movement phase is aggressive.
  • Dual-Platform Deployment: Unlike traditional ransomware that focuses on endpoints, Kyber includes a specialized payload for ESXi. This suggests the actors have obtained access to the vCenter Server or have direct SSH access to ESXi hosts.
  • Encryption & Anti-Recovery: On Windows, Kyber encrypts files using strong cryptographic primitives (referenced by its name association with Kyber, though the specific implementation in this ransomware is a proprietary symmetric cipher often observed in modern strains). On ESXi, it targets the flat files and descriptor files of running VMs. Crucially, it employs anti-recovery techniques, such as deleting Volume Shadow Copies via vssadmin and wiping ESXi scratch partitions, to prevent quick restoration.

• Exploitation Status:

  • Confirmed Active Exploitation: Multiple incident response engagements, including the March 2026 case, confirm active exploitation in enterprise environments.
  • Availability: The threat is operational in the wild, though no specific CVE is required for the ransomware execution itself—access is typically gained via valid credentials or exposed management interfaces (e.g., port 443 on vCenter or port 22 on ESXi).

Detection & Response

Given Kyber's ability to traverse Windows and Linux (ESXi) environments, detection rules must cover both operating system logs. The following Sigma rules, KQL queries, and VQL artifacts are designed to catch the distinctive behaviors of the Kyber double-play: massive file encryption on Windows and suspicious shell activity on ESXi.

Sigma Rules

---
title: Potential Kyber Ransomware - Windows VSS Deletion
id: 8a4b2c1d-5e6f-4a3b-8c9d-1e2f3a4b5c6d
status: experimental
description: Detects the deletion of Volume Shadow Copies often associated with Kyber and similar ransomware strains to prevent recovery.
references:
  - https://attack.mitre.org/techniques/T1490/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.impact
  - attack.t1490
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    CommandLine|contains:
      - 'vssadmin delete shadows'
      - 'wmic shadowcopy delete'
      - 'wbadmin delete catalog'
  condition: selection
falsepositives:
  - Legitimate system administration (rare)
level: high
---
title: Potential Kyber Ransomware - ESXi Suspicious Process Execution
id: 9b5c3d2e-6f7a-5b4c-9d0e-2f3a4b5c6d7e
status: experimental
description: Detects execution of suspicious encryption-related processes on VMware ESXi, often indicative of ESXi-targeting ransomware like Kyber.
references:
  - https://attack.mitre.org/techniques/T1486/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.impact
  - attack.t1486
logsource:
  category: process_creation
  product: linux
detection:
  selection_img:
    Image|endswith:
      - '/vmkfstools'
      - '/esxcli'
  selection_cli:
    CommandLine|contains:
      - '-i '
      - '-d eagerZeroedThick'
      - '-U' # Potential unregistration or destruction flags
  condition: all of selection_*
falsepositives:
  - Legitimate VMware administration tasks
level: medium
---
title: Potential Kyber Ransomware - Bulk File Encryption Pattern
id: 0c6d4e3f-7a8b-6c5d-0e1f-3a4b5c6d7e8f
status: experimental
description: Detects rapid encryption of multiple files on Windows endpoints, a signature of Kyber payload execution.
references:
  - https://attack.mitre.org/techniques/T1486/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.impact
  - attack.t1486
logsource:
  product: windows
  definition: file_access
detection:
  selection:
    TargetFilename|contains: ".kyber" # Assuming extension usage or similar
  timeframe: 1m
  condition: selection | count() > 50
falsepositives:
  - High-volume file processing (rare)
level: critical

KQL (Microsoft Sentinel)

This query correlates Windows process creation with Syslog data from your VMware infrastructure to identify the dual attack pattern.

// Hunt for Windows Anti-Recovery commands
let WindowsEvents =
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has "vssadmin" or ProcessCommandLine has "delete shadows"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName;

// Hunt for ESXi Suspicious Activity (via Syslog/CEF)
let ESXiEvents =
Syslog
| where Timestamp > ago(24h)
| where Facility == "auth" or ProcessName contains "vmware" or ProcessName contains "hostd"
| where SyslogMessage has "vmkfstools" or SyslogMessage has "esxcli"
| project Timestamp, Computer, SyslogMessage, ProcessName;

// Correlate activity to identify potential double-trouble scenario
union WindowsEvents, ESXiEvents
| summarize count() by bin(Timestamp, 5m), Computer
| where count_ > 5
| sort by Timestamp desc

Velociraptor VQL

The following artifact hunts for the presence of suspicious processes on both Windows endpoints and Linux (ESXi) hosts, specifically looking for the tools used to manipulate virtual disks or clear shadow copies.

-- Hunt for Kyber Indicators on Windows and Linux
SELECT 
  split(string=OS, sep=" ")[0] AS OS_Type,
  Pid, 
  Ppid, 
  Name, 
  CommandLine, 
  Exe, 
  Username
FROM pslist()
WHERE 
  // Windows specific checks
  (OS_Type =~ "Windows" AND (CommandLine =~ "vssadmin.*delete" OR Name =~ "wbadmin.exe"))
  OR
  // Linux/ESXi specific checks
  (OS_Type =~ "Linux" AND (Name =~ "vmkfstools" OR Name =~ "esxcli"))

Remediation Script (PowerShell)

Warning: This script is for Windows hardening. For ESXi, follow the vendor remediation steps below.

# Kyber Ransomware Hardening Script
# Requires Administrator Privileges
Write-Host "[+] Initiating Kyber Hardening Procedures..." -ForegroundColor Cyan

# 1: Stop and Disable VSS Service if not in use (Prevents Shadow Copy manipulation via some vectors)
# Note: Use with caution as this impacts legitimate backups.
$vssService = Get-Service -Name VSS -ErrorAction SilentlyContinue
if ($vssService.Status -eq 'Running') {
    Write-Host "[!] VSS Service is Running. Ensure you have offline immutable backups before stopping." -ForegroundColor Yellow
    # Stop-Service -Name VSS -Force
    # Set-Service -Name VSS -StartupType Disabled
}

# 2: Disable Remote Desktop (RDP) if not required (Common lateral movement vector)
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -Value 1
Write-Host "[+] RDP Disabled." -ForegroundColor Green

# 3: Enable Windows Firewall (Block inbound SMB/CIFS if not needed)
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
Write-Host "[+] Firewall Enabled." -ForegroundColor Green

# 4: Audit local administrators (Kyber often requires admin rights)
Write-Host "[+] Current Local Administrators:"
Get-LocalGroupMember -Group "Administrators"

Write-Host "[+] Hardening Complete. Verify backup integrity immediately." -ForegroundColor Green

Remediation

To recover from and prevent future Kyber attacks, implement the following steps immediately:

1. Isolate Infected Systems: Immediately disconnect compromised Windows machines and ESXi hosts from the network. Power down non-critical ESXi hosts to prevent the spread of the encryption payload to other datastores.

2. Verify ESXi Hardening:

   • SSH Access: Ensure SSH is disabled on all ESXi hosts unless strictly necessary for administration. Use the esxcli network firewall ruleset set -e false -r sshServer command.
   • Lockdown Mode: Enable lockdown mode on ESXi hosts to prevent direct remote access.
   • Patching: Ensure your ESXi hosts are updated to the latest version. While Kyber may not exploit a specific zero-day, older builds are more susceptible to pre-authentication exploits used for initial access.

3. Windows Recovery:

   • Restore: Restore Windows systems from offline, immutable backups. Do not use attached snapshots or storage that was accessible during the breach, as Kyber's anti-recovery measures may have corrupted them.
   • Credential Reset: Assume all credentials (domain admin, local admin, service accounts) used on the compromised machines are compromised. Perform a full credential reset.

4. Vendor Advisory Reference:

   • Review the official VMware security hardening guides: VMware Security Hardening Guide

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub