Kyber ransomware gang toys with post-quantum encryption on Windows
Kyber ransomware targets Windows and VMware ESXi with post-quantum encryption claims.
Summary
A new Kyber ransomware operation is targeting Windows systems and VMware ESXi endpoints, with variants deployed simultaneously across victim networks. While the Windows variant genuinely implements Kyber1024 post-quantum encryption for key protection paired with AES-CTR for file encryption, the Linux ESXi variant falsely advertises post-quantum capabilities but actually uses ChaCha8 and RSA-4096. Rapid7 analyzed both variants during a March 2026 incident response involving a major US defense contractor, finding the Windows variant more technically mature and designed to eliminate multiple data recovery paths.
Full text
Kyber ransomware gang toys with post-quantum encryption on Windows By Bill Toulas April 22, 2026 02:52 PM 0 A new Kyber ransomware operation is targeting Windows systems and VMware ESXi endpoints in recent attacks, with one variant implementing Kyber1024 post-quantum encryption. Cybersecurity firm Rapid7 retrieved and analyzed two distinct Kyber variants in March 2026 during an incident response. Both variants were deployed on the same network, with one targeting VMware ESXi and the other focusing on Windows file servers. "The ESXi variant is specifically built for VMware environments, with capabilities for datastore encryption, optional virtual machine termination, and defacement of management interfaces," explains Rapid7. "The Windows variant, written in Rust, includes a self-described "experimental" feature for targeting Hyper-V." Both variants share the same campaign ID and Tor-based ransom infrastructure, so they were deployed by the same ransomware affiliate, who likely sought to maximize impact by encrypting all servers simultaneously. BleepingComputer has found only one listed victim on the Kyber data extortion portal at the time of writing, which is a multi-billion-dollar American defense contractor and IT services provider. Kyber ransomware victim extortion portalSource: BleepingComputer.com Rapid7 says the ESXi variant enumerates all virtual machines (VMs) on the infrastructure, encrypts datastore files, and then defaces the ESXi interfaces with ransom notes to guide victims through the ransom payment and recovery process. Although it advertises 'post-quantum' encryption based on Kyber1024 key encapsulation, Rapid7 has found that these claims are false for the Linux ESXi encryptor. For the Linux version, the ransomware uses ChaCha8 for file encryption and RSA-4096 for key wrapping. Small files (<1 MB) are encrypted in full and appended with the '.xhsyw' extension, while files between 1 MB and 4 MB have only the first MB encrypted. Files larger than 4MB are intermittently encrypted based on the operator's configuration. Ransom note embedded in the ELF binarySource: Rapid7 The Windows variant, written in Rust, implements Kyber1024 and X25519 for key protection, aligning with the ransom note's claims. "This confirms that Kyber is not used for direct file encryption. Instead, Kyber1024 protects the symmetric key material, while AES-CTR handles bulk data encryption," Rapid7 explains. While the use of post-quantum cryptography is notable, it does not change outcomes for victims. Whether the encryptor uses RSA or Kyber1024, files remain unrecoverable without access to the attacker's private key. The Windows variant appends the '.#~~~' extension to encrypted files, terminates services, deletes backups, and includes an experimental feature to shut down Hyper-V virtual machines. Kyber for Windows CLISource: Rapid7 It is designed to eliminate a broad range of data recovery paths, deleting shadow copies, disabling boot repair, killing SQL, Exchange, and backup services, clearing event logs, and wiping the Windows Recycle Bin. Rapid7 highlighted an unusual choice of a mutex in the Windows variant of Kyber, which appears to reference a song on the Boomplay music platform. Overall, the Windows variant appears more technically mature, while the ESXi variant currently lacks some of its features. 99% of What Mythos Found Is Still Unpatched. AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. Claim Your Spot Related Articles: Former ransomware negotiator pleads guilty to BlackCat attacksThe Gentlemen ransomware now uses SystemBC for bot-powered attacksPayouts King ransomware uses QEMU VMs to bypass endpoint securityNAKIVO v11.2: Ransomware Defense, Faster Replication, vSphere 9, and Proxmox VE 9.0 SupportHealthcare IT solutions provider ChipSoft hit by ransomware attack
Indicators of Compromise
- malware — Kyber
- malware — Kyber1024