Kyber Ransomware Experiments with Post‑Quantum Encryption

April 23, 2026 Faeem BLOGS 0

Overview A new Kyber ransomware campaign is targeting both Windows systems and VMware ESXi endpoints, with one variant experimenting with Kyber1024 post‑quantum encryption. Rapid7’s analysis in March 2026 revealed two distinct variants deployed simultaneously on the same victim network, suggesting the operator aimed to maximize impact by encrypting all servers at once.

Key Highlights

  • Targets:
    • ESXi Variant: Encrypts datastore files, enumerates VMs, defaces management interfaces, and can terminate virtual machines.
    • Windows Variant: Written in Rust, appends .#~~~ extension, deletes backups, terminates services, and includes an experimental Hyper‑V shutdown feature.
  • Encryption Methods:
    • Linux ESXi Variant: Uses ChaCha8 for file encryption and RSA‑4096 for key wrapping (not true post‑quantum).
    • Windows Variant: Implements Kyber1024 and X25519 for key protection, with AES‑CTR for bulk data encryption.
  • Campaign Infrastructure: Both variants share the same campaign ID and Tor‑based ransom portal.
  • Victim Profile: At least one confirmed victim — a multi‑billion‑dollar U.S. defense contractor and IT services provider.

Technical Breakdown

  • File Handling:
    • Small files (<1 MB) fully encrypted.
    • Medium files (1–4 MB) partially encrypted (first MB).
    • Large files (>4 MB) encrypted intermittently.
  • Windows Variant Features:
    • Deletes shadow copies and disables boot repair.
    • Terminates SQL, Exchange, and backup services.
    • Clears event logs and wipes Recycle Bin.
    • Uses a mutex referencing a Boomplay song — an unusual operator choice.

Risks to Enterprises

  • Post‑Quantum Experimentation: While Kyber1024 is used only for key encapsulation, its adoption signals ransomware groups are testing future‑proof cryptography.
  • Data Recovery Blocked: Regardless of RSA or Kyber, files remain unrecoverable without attacker keys.
  • Infrastructure Impact: ESXi and Hyper‑V targeting maximizes disruption across virtualized environments.
  • Defense Sector Targeting: Indicates high‑value victims are in scope.

Defensive Guidance

  • Patch & Harden: Ensure VMware ESXi and Windows servers are fully updated.
  • Backup Strategy: Maintain offline, immutable backups to counter ransomware deletion tactics.
  • Monitor for Indicators: Watch for .xhsyw and .#~~~ file extensions, unusual mutexes, and ransom note defacement.
  • Network Segmentation: Isolate critical workloads to limit blast radius.
  • Incident Response Readiness: Prepare for ransomware variants experimenting with advanced cryptography.

Final Thought

Kyber ransomware’s use of post‑quantum encryption marks a turning point: threat actors are experimenting with cryptographic schemes designed to withstand future quantum attacks. While the practical impact for victims remains unchanged — files are unrecoverable without attacker keys — the symbolic move shows ransomware operators are adapting at the cutting edge. For defenders, this is a reminder that virtualized environments and cryptographic agility must be prioritized in resilience planning.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.