Data Security, Ransomware, Encryption, Threat Intelligence

Kyber ransomware targets Windows and ESXi with post-quantum encryption claims

Bleeping Computer disclosed that a new Kyber ransomware operation is actively targeting both Windows systems and VMware ESXi endpoints, with one variant notably implementing Kyber1024 post-quantum encryption.

Cybersecurity firm Rapid7 analyzed two distinct Kyber variants deployed on the same network in March 2026. One variant targets VMware ESXi, featuring datastore encryption and VM termination, while the Windows variant, written in Rust, includes an experimental feature for Hyper-V. Both share the same campaign ID and Tor-based ransom infrastructure, suggesting a single affiliate aiming for maximum impact.

While the ESXi variant falsely claims post-quantum encryption, using ChaCha8 and RSA-4096, the Windows variant correctly uses Kyber1024 and X25519 to protect symmetric keys used for AES-CTR bulk encryption. The Windows variant also terminates services, deletes backups, and attempts to eliminate recovery paths by clearing shadow copies and event logs.

Source: Bleeping Computer

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

DNS SpoofingDecryptionDeepfakeDictionary AttackDisruptionDomain HijackingDrive-by DownloadEmanations AnalysisEncapsulationFull-Disk Encryption (FDE)

You can skip this ad in 5 seconds