Kyber Ransomware Deploys Post-Quantum Crypto on Windows

A new ransomware operation called Kyber has become the first known group to deploy NIST-standardized post-quantum cryptography in production attacks. Rapid7 researchers retrieved and analyzed two distinct variants during a March 2026 incident response—one targeting Windows file servers, another built specifically for VMware ESXi environments.

The dual-platform approach mirrors tactics we've seen from BlackWater ransomware targeting medical infrastructure, but Kyber's encryption implementation sets it apart from every other ransomware family currently in circulation.

What Makes Kyber Different

The Windows variant actually implements what its ransom note claims: a hybrid encryption scheme combining Kyber1024 key encapsulation with AES-256-CTR for bulk file encryption. Kyber1024 is one of the post-quantum algorithms standardized by NIST in 2024 to resist attacks from future quantum computers.

In practical terms, organizations hit by Kyber's Windows variant face encryption that will remain secure even after quantum computers capable of breaking RSA and elliptic curve cryptography eventually emerge. Current ransomware recovery methods that rely on implementation flaws won't work against properly implemented post-quantum schemes.

But here's where it gets interesting: the ESXi variant lies about its encryption.

ESXi Variant: Marketing vs. Reality

Rapid7's analysis revealed a significant gap between Kyber's claims and reality on VMware environments. The Linux-based ESXi encryptor advertises "AES-256-CTR, X25519 and Kyber1024" in its ransom note, but technical examination showed it actually uses ChaCha8 with RSA-4096 key wrapping—conventional cryptography, not post-quantum.

The Windows variant is written in Rust and compiled with MSVC 19.36. The ESXi variant uses C++ compiled with GCC 4.4.7, an ancient compiler version. This stark difference suggests separate development teams or a rushed ESXi port that never received the same encryption upgrades.

Both variants share campaign infrastructure—the same Tor-based negotiation portal and leak site—indicating unified operations despite the technical divergence.

Technical Behavior

On ESXi systems, Kyber specifically targets /vmfs/volumes datastores. It can optionally terminate running virtual machines with graceful shutdown commands before encrypting their disk images. The encryptor also defaces management interfaces by modifying /etc/motd and web UI index pages.

For larger files, Kyber uses partial encryption: files under 1MB get fully encrypted, while larger files receive proportional encryption defaulting to 10% of the file. This speeds up attacks on multi-terabyte virtual disk images while still rendering them unusable.

The Windows variant goes after services first—msexchange, vss, backup, veeam, sql—before encryption. It runs 11 anti-recovery commands depending on privilege level, including VSS shadow copy deletion and event log clearing. The variant we analyzed also included experimental Hyper-V shutdown capabilities via PowerShell.

Attribution and Scope

Rapid7 documented over 900 ransomware incidents publicly reported in March 2026 alone. Kyber represents a small but technically significant addition to this count. The operation's infrastructure and TTPs suggest an experienced affiliate model rather than newcomers.

The Vercel breach and similar incidents from threat groups like ShinyHunters demonstrate how ransomware operations continue evolving their monetization strategies. Kyber's post-quantum implementation may signal a broader trend as groups anticipate future cryptographic developments.

What This Means for Defenders

Post-quantum encryption doesn't change immediate response priorities. Standard ransomware mitigations still apply: maintain offline backups, segment networks, monitor for service termination commands, and block known C2 infrastructure.

The practical implication is for long-term planning. Organizations that experience a Kyber Windows infection face the reality that their encrypted data cannot be recovered through cryptographic weaknesses—not now, not in decades. The encryption is mathematically sound.

For VMware environments, the ESXi variant's conventional encryption offers some theoretical hope for recovery, though RSA-4096 remains computationally infeasible to break with current technology.

Indicators of Compromise

Rapid7 published the following hashes:

• ESXi variant: 6ccacb7567b6c0bd2ca8e68ff59d5ef21e8f47fc1af70d4d88a421f1fc5280fc
• Windows variant: 45bff0df2c408b3f589aed984cc331b617021ecbea57171dac719b5f545f5e8d

The mutex boomplay.com/songs/182988982 references a legitimate African music streaming platform—likely a red herring or regional reference by the developers.

Encrypted file extensions differ by platform: .xhsyw for ESXi, .#~~~ for Windows. Ransom notes appear as readme.txt on ESXi and READ_ME_NOW.txt on Windows.

Recommended Actions

Organizations running VMware ESXi should ensure their datastores aren't directly accessible from compromised endpoints. Network segmentation between corporate environments and virtualization infrastructure remains the most effective control against dual-platform ransomware like Kyber.

For broader ransomware defense strategies, our ransomware guide covers detection, response, and recovery fundamentals that apply regardless of the encryption algorithm attackers choose to deploy.