Kyber ransomware gang targets Windows and VMware with post-quantum encryption

At a glance:

• Kyber ransomware is targeting Windows and VMware ESXi endpoints with post-quantum encryption.
• Two distinct variants were deployed simultaneously to maximize impact.
• The Windows variant uses Kyber1024 for key protection, while the ESXi variant uses ChaCha8 and RSA-4096.

Kyber ransomware targets multiple platforms

In March 2026, cybersecurity firm Rapid7 identified a new Kyber ransomware operation targeting both Windows systems and VMware ESXi endpoints. This dual-pronged attack demonstrates the ransomware group's adaptability and their strategy to maximize disruption by encrypting servers across different platforms simultaneously. Rapid7's analysis revealed two distinct variants of the Kyber ransomware, each tailored to its specific target.

The ESXi variant is designed specifically for VMware environments, with capabilities such as datastore encryption, optional virtual machine termination, and the defacement of management interfaces with ransom notes. This variant enumerates all virtual machines on the infrastructure, encrypts datastore files, and guides victims through the ransom payment and recovery process. On the other hand, the Windows variant, written in Rust, includes an 'experimental' feature targeting Hyper-V, showing the group's interest in expanding their reach to hypervisor technologies.

Post-quantum encryption claims and realities

One of the notable aspects of this Kyber ransomware operation is its claim to use post-quantum encryption based on Kyber1024 key encapsulation. However, Rapid7's analysis found that these claims are not entirely accurate. For the Linux ESXi encryptor, the ransomware actually uses ChaCha8 for file encryption and RSA-4096 for key wrapping, despite advertising post-quantum capabilities.

The Windows variant, however, does implement Kyber1024 and X25519 for key protection, aligning with the ransom note's claims. Rapid7 explains that Kyber1024 is used to protect the symmetric key material, while AES-CTR handles bulk data encryption. This distinction is crucial as it shows that the post-quantum cryptography is not used for direct file encryption but rather for securing the encryption keys.

Impact on victims and data recovery

The use of post-quantum cryptography in the Windows variant does not change the outcomes for victims. Whether the encryptor uses RSA or Kyber1024, files remain unrecoverable without access to the attacker's private key. The Windows variant appends the '.#~~~' extension to encrypted files, terminates services, deletes backups, and includes features to shut down Hyper-V virtual machines, eliminating multiple data recovery paths.

This variant is designed to be thorough in its disruption, deleting shadow copies, disabling boot repair, killing SQL, Exchange, and backup services, clearing event logs, and wiping the Windows Recycle Bin. Rapid7 also noted an unusual choice of a mutex in the Windows variant, which references a song on the Boomplay music platform, adding a layer of intrigue to the technical analysis.

Technical maturity and future implications

Rapid7's analysis suggests that the Windows variant of Kyber appears more technically mature compared to the ESXi variant. The ESXi variant currently lacks some of the features present in the Windows variant, indicating that the group may be in the process of refining their tools for different platforms.

The simultaneous deployment of these two variants by the same ransomware affiliate highlights their strategy to maximize impact by encrypting all servers simultaneously. This approach not only increases the pressure on victims to pay the ransom but also demonstrates the group's capability to adapt to different environments.

Victim profile and industry impact

BleepingComputer has identified one listed victim on the Kyber data extortion portal, a multi-billion-dollar American defense contractor and IT services provider. This high-profile target underscores the potential impact of such attacks on critical infrastructure and sensitive data. As ransomware groups continue to evolve their tactics, targeting both traditional Windows environments and virtualized infrastructures like VMware ESXi, organizations must remain vigilant and invest in robust cybersecurity measures to protect against these sophisticated threats.

Conclusion

The Kyber ransomware operation's use of post-quantum encryption and its targeting of both Windows and VMware ESXi endpoints represent a significant evolution in ransomware tactics. While the post-quantum claims are not entirely accurate, the group's ability to adapt to different platforms and their thorough approach to data encryption and recovery prevention pose a substantial threat to organizations. As the cybersecurity landscape continues to evolve, it is crucial for businesses to stay informed about emerging threats and implement comprehensive security strategies to mitigate the risk of falling victim to such attacks.