Kyber ransomware gang toys with post-quantum encryption on Windows

Kyber Ransomware Gang Toys with Post-Quantum Encryption on Windows

1. Overview

• A new Kyber ransomware operation targets Windows systems and VMware ESXi endpoints, with at least one variant advertising Kyber1024 post-quantum encryption.
• In March 2026, Rapid7 independently retrieved and analyzed two distinct Kyber variants during an incident response. Both variants appeared on the same network, suggesting a single ransomware affiliate aimed at maximizing impact by affecting multiple server types at once.
• The ESXi variant focuses on VMware environments, while the Windows variant targets file servers running Windows, with the two strains sharing a campaign ID and Tor-based ransom infrastructure.

1. Variants at a Glance

• 2.1 ESXi Variant ( VMware-focused )
• Built specifically for VMware environments, with capabilities to encrypt datastore files.
• Includes optional virtual machine termination and defacement of management interfaces to guide victims toward ransom instructions.
• Enumerates all virtual machines (VMs) on the infrastructure to determine scope and infection reach.
• 2.2 Windows Variant ( Windows-focused )
• Written in Rust and described by operators as having an “experimental” feature for targeting Hyper-V.
• Claims Kyber1024 post-quantum encryption in conjunction with key protection mechanisms.
• Uses AES-CTR for bulk data encryption while Kyber1024 is employed to protect the symmetric key material.

1. Shared Campaign Infrastructure and Victim Profile

• 3.1 Campaign identity and delivery
• Both variants share the same campaign ID and Tor-based ransom infrastructure, indicating deployment by the same ransomware affiliate.
• The operators appear to have intended encrypting all reachable servers within the target environment, potentially synchronizing the encryption of Windows file servers and VMware ESXi datastores.
• 3.2 Victim landscape
• At the time of reporting, a Kyber data extortion portal listed a single victim, described as a multi‑billion-dollar American defense contractor and IT services provider.
• The extortion portal serves as a channel to publish victim data and request payment as part of the ransom ecosystem.

1. Technical Details: Encryption and Crypto Choices

• 4.1 Linux/ESXi encryptor (ESXi variant)
• Focuses on datastore encryption and VM enumeration, with ESXi interface defacement used as part of the ransom note delivery.
• Claims of post-quantum encryption rely on Kyber1024, but evidence indicates the Linux ESXi encryptor uses ChaCha8 for file encryption and RSA-4096 for key wrapping.
• File handling behavior includes variable encryption extents: small files (<1 MB) fully encrypted; files between 1 MB and 4 MB have only the first MB encrypted; larger files (>4 MB) are encrypted intermittently based on operator configuration.
• 4.2 Windows variant (Windows target)
• The Windows variant uses Kyber1024 in combination with X25519 to protect key material, while bulk data encryption is performed with AES-CTR.
• The ransomware appends the extension .#~~~ to encrypted files and is designed to eliminate commonly used recovery paths.
• It terminates services, deletes backups, and includes an experimental capability to shut down Hyper-V virtual machines as part of its operational scope.

1. Operational Capabilities and Impact

• 5.1 Data destruction and recovery roadblocks
• The Windows variant is engineered to destroy a broad spectrum of data recovery avenues: it deletes shadow copies, disables boot repair, terminates SQL Server, Exchange, and backup services, clears event logs, and wipes the Windows Recycle Bin.
• The ESXi variant emphasizes disrupting management interfaces and defacing them with ransom notes to maximize pressure on administrators.
• 5.2 Post-quantum claims vs. practical outcome
• While the operation markets its use of Kyber1024 post-quantum cryptography for protecting keys, rapid assessments indicate Kyber1024 is not used for direct file encryption.
• In practice, the Windows variant relies on Kyber1024 to secure the symmetric key material, with AES-CTR handling the bulk encryption of files. This means the practical barrier to recovery remains the attackers’ private keys, regardless of the post-quantum branding.
• 5.3 Windows-specific behavioral notes
• The Windows variant’s mutex choice includes an unusual reference (a Boomplay music track), a detail notable to researchers tracing the malware’s internal identifiers and potential development lineage.

1. Extortion, Payment, and Victim Handling

• 6.1 Ransom notes and extortion workflow
• After encryption, victims are guided by ransom notes within the affected systems and the extortion portal.
• The portal’s listing of victims provides a public-facing indicator of incident scope and the pressure points used by operators to monetize access.
• 6.2 Recovery considerations (context)
• Even with post-quantum claims, the encryption model employed means that recovery hinges on obtaining the attacker’s private keys or viable backups, underscoring the importance of offline backups and robust recovery planning in general security practice.

1. Notable Observations and Takeaways

• 7.1 Post-quantum branding and real-world impact
• Kyber1024’s inclusion signals an industry interest in post-quantum cryptography within ransomware ecosystems, though the operational encryption path for files remains conventional (symmetric AES-CTR with protected key material).
• 7.2 Cross-environment reach
• The simultaneous targeting of Windows file servers and VMware ESXi datastores demonstrates an adversary’s intent to maximize disruption by compromising multiple layers of an IT environment.
• 7.3 Defensive note (context, not instructions)
• The combination of data destruction tactics, backup deletion, and Hyper-V disruption indicates a multi-pronged approach designed to complicate incident response and restore operations.

1. Related Content and Context

• Related ransomware coverage and industry context includes discussions of BlackCat attacks, bot-powered attack chains, and virtualization-focused ransomware tactics.
• The broader landscape includes references to post-quantum cryptography discussions and the evolving use of sophisticated crypto primitives in modern ransomware operations.

End of post.