Full Report
A new Kyber ransomware operation is targeting Windows systems and VMware ESXi endpoints in recent attacks, with one variant implementing Kyber1024 post-quantum encryption. [...]
Analysis Summary
# Threat Actor: Kyber Ransomware Group
## Attribution & Identity
* **Actor Name:** Kyber
* **Aliases:** None currently identified.
* **Known Associations:** Operated as a ransomware-as-a-service (RaaS) style model involving affiliates (evidenced by the use of campaign IDs).
* **Identity Notes:** The threat actor group is relatively new (first observed in early 2026). A unique characteristic is their use of a mutex referencing a song on the Boomplay music platform, potentially a developer artifact or a local cultural reference.
## Activity Summary
* **March 2026 Campaign:** Rapid7 identified an incident where two distinct variants (Windows and Linux/ESXi) were deployed simultaneously within a single network.
* **Post-Quantum Experimentation:** The actor is actively marketing "Post-Quantum" encryption capabilities, specifically implementing Kyber1024 in their Windows variant to differentiate themselves in the ransomware market.
## Tactics, Techniques & Procedures
* **Dual-Platform Execution:** Orchestrated deployment of platform-specific encryptors (Rust-based for Windows, ELF for ESXi) using a shared campaign ID/infrastructure.
* **Service Termination:** Kills SQL, Exchange, and various backup services to ensure file handles are released for encryption.
* **VM Operations:**
* **ESXi:** Enumerates and terminates virtual machines; encrypts datastores.
* **Windows:** Implements an "experimental" feature to shut down Hyper-V VMs.
* **Anti-Recovery Actions:** Deletes Volume Shadow Copies, disables boot repair, clears Windows Event Logs, and wipes the Recycle Bin.
* **Encryption Methodology:**
* **Windows Variant:** Uses Kyber1024 and X25519 for key encapsulation/protection and AES-CTR for bulk data encryption.
* **ESXi Variant:** False claims of post-quantum tech; actually uses ChaCha8 for file encryption and RSA-4096 for key wrapping. Intermittent encryption used for files >4MB.
* **Defacement:** Overwrites ESXi management interfaces with ransom notes.
## Targeting
* **Sectors:** Defense Contracting, IT Services.
* **Geography:** United States (based on known victimology).
* **Victims:** A multi-billion-dollar American defense contractor.
## Tools & Infrastructure
* **Malware Families:**
* **Kyber Windows:** A mature encryptor written in the Rust programming language.
* **Kyber ESXi:** An ELF library variant specifically for VMware environments.
* **Infrastructure:**
* **Data Extortion Portal:** Tor-based " Kyber" leak site.
* **Extensions:** `.#~~~` (Windows) and `.xhsyw` (ESXi).
## Implications
* **Evolution of Encryption:** The inclusion of Kyber1024 indicates a trend where threat actors are adopting NIST-standardized post-quantum algorithms for marketing purposes and to future-proof their encryption against quantum computing breakthroughs.
* **High-Value Targeting:** The focus on defense contractors and the development of specialized ESXi/Hyper-V modules suggest a focus on high-impact, enterprise-level extortion ("Big Game Hunting").
* **Operational Maturity:** While the Linux variant is less mature, the Windows Rust-based variant is technically sophisticated, indicating a capable development team.
## Mitigations
* **Virtualization Security:** Harden VMware ESXi management interfaces; restrict access to ESXi shells and ensure robust patch management for hypervisors.
* **Immutable Backups:** Maintain offline or immutable backups that are cryptographically isolated from the production Windows/ESXi environment to prevent the group's "anti-recovery" scripts from deleting them.
* **Endpoint Protection:** Deploy EDR/XDR solutions capable of detecting Rust-based binaries and unauthorized VSS (Volume Shadow Copy) deletion attempts.
* **Network Segmentation:** Limit lateral movement capabilities between IT workstations and critical infrastructure (Hyper-V/ESXi hosts).