Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Kyber ransomware targeting Windows and VMware ESXi

Malware Activity
First reported
Last updated
Happening score
H score 36
1 unique sources, 1 articles

Summary

Hide ▲

Kyber ransomware is actively hitting Windows and VMware ESXi environments, using two variants that can encrypt files, datastores, and recovery paths. The activity raises the risk of broad server downtime because one build targets ESXi infrastructure while the other attacks Windows file servers and related services. One variant advertises Kyber1024 post-quantum protection, but the operational effect is still full encryption and recovery disruption.

Related Happenings

Vect 2.0 ransomware wiper-flaw activity

Malware Activity
First: 29.04.2026 18:23 Last: 29.04.2026 18:23 Sources 1

About this happening: The **Vect 2.0** ransomware variant now **permanently destroys large files** instead of encrypting them, which can leave defenders without a recoverable copy. The flaw affects ver...

Open Happening

Vect ransomware flawed ChaCha20 implementation destroys large files

Technical Analysis
First: 29.04.2026 13:45 Last: 29.04.2026 13:45 Sources 1

About this happening: **Vect 2.0 ransomware** was shown to use **raw ChaCha20-IETF (RFC 8439)** without authentication, causing files above **128 KB** to be permanently destroyed across **Windows, Linu...

Open Happening

VECT 2.0 ransomware-branded file destruction malware

Malware Activity
First: 28.04.2026 17:01 Last: 28.04.2026 17:01 Sources 1

About this happening: The **VECT 2.0** malware now behaves like a **wiper** rather than recoverable ransomware, permanently destroying large files and raising the stakes for victims. The destructive fl...

Open Happening

TeamPCP and Vect partner to turn supply-chain compromises into ransomware follow-on campaigns

Threat Actor Meta
First: 31.03.2026 15:15 Last: 31.03.2026 15:15 Sources 1

About this happening: TeamPCP and **Vect ransomware group** are linking **supply-chain compromises** to **follow-on ransomware campaigns**, broadening extortion risk for affected organizations. The shi...

Open Happening

UNC6201 Dell RecoverPoint for Virtual Machines zero-day campaign

Campaign
First: 17.02.2026 22:15 Last: 17.02.2026 22:15 Sources 1

About this happening: The **UNC6201** campaign has been exploiting a **Dell zero-day** since **mid-2024**, creating a sustained risk of unauthorized access and stealthy movement across victims' virtual...

Latest development: 19.02.2026 17:30

CISA added CVE-2026-22769 to its Known Exploited Vulnerabilities catalog and ordered Federal Civilian Executive Branch agencies to secure affected Dell RecoverPoint systems by Saturday, February 21, after Mandiant and Google Threat Intelligence Group (GTIG) said UNC6201 had exploited the flaw since at least mid-2024.

Open Happening

Timeline

  1. 22.04.2026 21:52 2 articles · 1mo ago

    Rapid7 discloses Kyber ransomware targeting Windows and ESXi

    Initial Disclosure

    Rapid7 disclosed a new Kyber ransomware operation targeting Windows systems and VMware ESXi endpoints, and said two distinct variants were deployed on the same network during March 2026 incident response. The ESXi build encrypts datastore files and can deface management interfaces, while the Rust Windows build uses Kyber1024 and X25519 for key protection, appends '.#~~~', deletes backups, and can shut down Hyper-V virtual machines; Rapid7 also said the Linux ESXi encryptor does not use Kyber for direct file encryption and instead relies on ChaCha8 and RSA-4096.

    Show sources
    Open in new tab