Kyber ransomware targets Windows systems and VMware ESXi endpoints, marking a significant escalation in cyber threats with its notable implementation of Kyber1024 post-quantum encryption in one of its variants. This new operation, first observed in September 2025 and analyzed by cybersecurity firm Rapid7 in March 2026, showcases a dual-platform approach designed to maximize disruption and financial gain.
The Dual-Platform Threat of Kyber Ransomware
The Kyber ransomware gang employs distinct variants for Windows and VMware ESXi environments, both sharing a common campaign ID and Tor-based infrastructure for ransom demands and data exfiltration. The Windows variant, crafted in Rust, utilizes AES-256-CTR for file encryption and notably implements Kyber1024 for key encapsulation, an algorithm designed to resist future quantum computer attacks. It also includes an “experimental” feature for targeting Hyper-V, appending encrypted files with the “.#~~~” extension.
In contrast, the ESXi variant, developed in C++, employs ChaCha8 for file encryption and RSA-4099 for key wrapping. This version is specifically engineered to encrypt datastore files, optionally terminate virtual machines, and deface management interfaces with ransom notes, appending encrypted files with the ‘.xhsyw’ extension. Both variants delete shadow copies and logs to hinder recovery, with ransom notes, typically named “readme.txt” or “READ_ME_NOW.txt”, informing victims of encryption and data exfiltration, threatening publication if contact isn’t made within one to two weeks.
“The adoption of post-quantum cryptography by ransomware gangs, even if partially implemented or falsely advertised, highlights a growing trend in cyber threats as organizations prepare for the advent of quantum computing.”
Global Reach and Targeted Industries
The Kyber ransomware operation is globally targeting Windows systems and VMware ESXi endpoints, with a particular focus on English-speaking regions such as the United States, Western Europe, and Australia. Industries under attack include aerospace & defense, government contractors, and technology/engineering firms. A multi-billion-dollar American defense contractor and IT services provider is among the known victims, underscoring the high-value targets this group pursues.
The Quantum Encryption Conundrum
The use of Kyber1024, a parameter set of the CRYSTALS-Kyber key encapsulation mechanism (KEM) selected by NIST for its post-quantum resistance, is a critical aspect of this ransomware. While the Windows variant appears to implement Kyber1024, the ESXi variant, despite advertising “post-quantum” encryption, actually relies on ChaCha8 with RSA-4096 key wrapping. This discrepancy highlights both the genuine and potentially deceptive adoption of advanced cryptographic techniques by cybercriminals. Regardless, the intent to leverage the perceived invulnerability of related Tech news against future threats is clear, even if not fully realized across all variants.
The primary motivation behind Kyber ransomware remains financial gain through extortion. By encrypting critical systems and exfiltrating sensitive data, the gang aims to maximize disruption and pressure victims into paying a ransom for decryption and to prevent data leaks. This dual-platform approach allows the attackers to impact a wider range of an organization’s infrastructure simultaneously, increasing their leverage.
As organizations grapple with increasingly sophisticated cyber threats, the emergence of ransomware like Kyber, which incorporates or claims to incorporate post-quantum encryption, signals a new era in cybersecurity challenges. Businesses must prioritize robust defense strategies, including advanced threat detection, incident response planning, and continuous employee training, to protect against these evolving and financially motivated attacks.




