Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: ransomware (25 articles)Clear

Kyber ransomware experiments with post-quantum encryption across Windows and VMware ESXi

A new ransomware family called Kyber has been deployed in attacks combining a Rust-based Windows encryptor with a Linux ESXi variant on the same victim network, and its Windows build is one of the first in the wild to advertise post-quantum cryptography. Rapid7 analysed both variants during a March 2026 incident response and found the Windows build genuinely uses Kyber1024 (a NIST-selected post-quantum key-encapsulation algorithm) plus X25519 to wrap the AES-CTR keys that actually encrypt files, matching its ransom-note claims. The Linux ESXi variant makes the same post-quantum marketing claim but actually uses ChaCha8 with RSA-4096 - pure marketing theatre rather than real crypto defense. For victims the distinction does not matter: without the attacker's private key the files are unrecoverable regardless of algorithm. Windows-encrypted files get a '.#~~~' extension; Linux gets '.xhsyw'. The ESXi variant enumerates all VMs, encrypts datastore files, defaces management interfaces, adds crontab persistence, and terminates VMs. The Windows variant deletes shadow copies, disables boot repair, kills SQL/Exchange/backup services, clears event logs, wipes the Recycle Bin, and ships with an experimental Hyper-V shutdown feature. Only one victim appears on the Kyber leak site so far (a multi-billion-dollar American defence contractor and IT services provider), meaning most current victims are still in the extortion window and not publicly known.

Check
Hunt your Windows estate for files with a '.#~~~' extension, your ESXi hosts for files with a '.xhsyw' extension, and any Hyper-V and ESXi management surface for unexpected crontab entries or defaced login banners.
Affected
Any environment exposing Windows domain controllers or file servers alongside VMware ESXi infrastructure. ESXi variant targets datastore files, VM enumeration, and management interface defacement; Windows variant specifically targets Hyper-V in experimental mode. Organizations relying on shadow-copy-based recovery, SQL/Exchange snapshots, or on-disk backup services without immutable storage.
Fix
Enforce offline, immutable backups for every tier of your environment - Kyber explicitly destroys shadow copies, boot repair, and in-place backup services. Apply the ESXi hardening guidance (disable SSH when not in use, require MFA on vCenter, enable execInstalledOnly, patch to the latest ESXi build) to cut the affiliate's preferred initial-access paths. Alert on: crontab modifications on ESXi hosts, 'vim-cmd vmsvc/getallvms' followed by mass power-off, the '.#~~~' and '.xhsyw' file extensions on any write, and Windows event log clears. Given affiliate-level overlap with other ransomware operations, also review access paths through internet-facing VPN gateways and RDP.

The Gentlemen ransomware operation hiding 1,570+ unreported victims per Check Point C2 analysis - 5x larger than leak site suggests

Check Point researchers gained visibility into a SystemBC command-and-control server used by an affiliate of The Gentlemen ransomware-as-a-service operation and found over 1,570 compromised corporate networks that have not been publicly disclosed. The group's own data leak site only lists about 320 victims, meaning the real footprint is nearly 5x larger than public reporting suggests. The Gentlemen emerged in July 2025 and has become one of the most prolific RaaS operations. It uses a Go-based locker targeting Windows, Linux, NAS, and BSD systems, operates a classic double-extortion model, and abuses legitimate drivers plus custom tooling to bypass defenses. SystemBC is a SOCKS5 tunneling proxy that uses RC4-encrypted C2 communications and can download and execute additional malware in memory. Attack chain: initial access via internet-facing services or compromised credentials, followed by reconnaissance, Cobalt Strike deployment, SystemBC tunneling, lateral movement using Group Policy Objects for domain-wide compromise, then the encryptor. A notable TTP: during lateral movement, The Gentlemen pushes a PowerShell script that disables Windows Defender real-time monitoring, adds broad exclusions for staging shares and its own process, shuts down the firewall, re-enables SMB1, and loosens LSA anonymous access controls before deploying the ransomware binary on each reachable host. The ESXi variant shuts down virtual machines, adds persistence via crontab, and inhibits recovery. Victim geography spans US, UK, Germany, Australia, and Romania.

Check
Audit your environment for SystemBC indicators and GPO abuse patterns. The Gentlemen's 1,570+ victim count means there's a meaningful chance you or your peers are already compromised without knowing it.
Affected
Any organization with internet-facing services (VPN gateways, RDP, remote admin portals) or weak credential hygiene is at risk of initial access. Environments where Windows Defender exclusions can be modified via GPO, where SMB1 can be re-enabled, or where LSA anonymous access controls can be loosened are at acute risk of the full attack chain. VMware ESXi environments are specifically targeted by a Linux variant.
Fix
Hunt for SystemBC: look for outbound SOCKS5 connections to non-corporate destinations, RC4-encrypted traffic patterns, and unexpected tunneling processes. Alert on any GPO modification that adds Windows Defender exclusions, disables real-time monitoring, re-enables SMB1, or loosens LSA anonymous access settings - these are near-certain indicators of ransomware staging. For ESXi, monitor for unauthorized crontab modifications and VM shutdown commands. Review privileged credentials used in GPO management - compromise of a single GPO admin account gives attackers domain-wide ransomware deployment capability. Confirm backups are offline and immutable; The Gentlemen's ESXi variant actively inhibits recovery.

Microsoft exposes Storm-1175 - China-based ransomware group deploying Medusa with zero-day exploits in under 24 hours

Microsoft Threat Intelligence published a detailed report on Storm-1175, a China-based financially motivated group that deploys Medusa ransomware at extreme speed - sometimes moving from initial access to full ransomware deployment within 24 hours. The group exploits internet-facing systems using a mix of zero-day and recently disclosed (n-day) vulnerabilities, having weaponized over 16 flaws across 10 products since 2023. Two vulnerabilities were exploited as zero-days a full week before public disclosure. Recent targets include healthcare, education, finance, and professional services organizations in the US, UK, and Australia. Their playbook: exploit a web-facing flaw, create persistence via new accounts and web shells, steal credentials with Mimikatz, disable Defender via registry modifications, exfiltrate data with Rclone, then deploy Medusa across the network.

Check
Review your internet-facing asset inventory. Storm-1175 specifically scans for exposed web applications running Exchange, Ivanti, ConnectWise, JetBrains TeamCity, SimpleHelp, CrushFTP, GoAnywhere MFT, SmarterMail, and BeyondTrust.
Affected
Organizations running any of: Microsoft Exchange, Ivanti Connect Secure/Policy Secure, ConnectWise ScreenConnect, JetBrains TeamCity, SimpleHelp, CrushFTP, GoAnywhere MFT, SmarterMail, BeyondTrust, Oracle WebLogic - especially if internet-facing and not fully patched.
Fix
Patch all internet-facing systems immediately - Storm-1175 weaponizes new CVEs within days. Enable tamper protection on Microsoft Defender and set DisableLocalAdminMerge to prevent attackers from adding antivirus exclusions. Monitor for credential theft indicators (LSASS access, WDigest caching). Block Rclone and unauthorized RMM tools at the perimeter. Prioritize alerts for new account creation and web shell deployment.

Google Drive now auto-detects ransomware and pauses sync - 14x better detection than beta

Google moved its AI-powered ransomware detection for Google Drive from beta to general availability, enabled by default for all paid Workspace users. When ransomware encrypts files on a synced desktop, Drive immediately pauses syncing to protect cloud copies, alerts both the user and IT admins, and offers bulk file restoration to roll back to pre-infection versions. Google says the GA model catches 14 times more infections than the beta, covering a wider range of encryption patterns at faster detection speeds.

Check
Verify your Google Workspace deployment is running Google Drive for desktop v114 or later to get full detection alerts.
Affected
Google Workspace organizations on business, enterprise, education, or frontline licenses. Personal Google accounts get file restoration but not ransomware detection.
Fix
Ensure Drive for desktop v114+ is deployed across endpoints. Confirm ransomware detection is enabled in Admin console (Apps > Google Workspace > Settings for Drive and Docs > Malware and Ransomware). Test the file restoration workflow with your incident response team before you need it.

TeamPCP's 9-day supply chain rampage - Trivy to LiteLLM to Checkmarx to Telnyx

One group, four major compromises, nine days. TeamPCP started by backdooring Aqua Security's Trivy vulnerability scanner on March 19 - then used the stolen CI/CD credentials to poison LiteLLM, Checkmarx tools, and Telnyx one after another. Each compromised tool handed them the keys to the next target. They've now partnered with the Vect ransomware gang to turn stolen access into extortion.

Check
Audit any CI/CD pipeline that used Trivy, LiteLLM, or Telnyx between March 19-27.
Affected
Trivy (compromised tags March 19), LiteLLM 1.82.7-1.82.8, Checkmarx KICS GitHub Actions (March 23), Telnyx 4.87.1-4.87.2.
Fix
Pin all open-source dependencies to exact versions. Rotate all credentials exposed in affected pipelines. Treat affected environments as fully compromised.