Kyber Ransomware Is Lying About Post-Quantum Encryption — and That’s the Least Dangerous Part
Direct Answer: What is Kyber ransomware and how does it work?
Kyber is a new ransomware operation first observed in September 2025 that simultaneously attacks VMware ESXi and Windows file servers. During a March 2026 incident response engagement, Rapid7 recovered both payloads deployed on the same network — a rare opportunity to analyse dual-platform ransomware side by side. The ESXi variant, written in C++, enumerates all virtual machines, encrypts datastore files, terminates optional VMs, and defaces ESXi management interfaces with ransom notes claiming post-quantum Kyber1024 encryption. Rapid7’s decompilation found those claims are false: the ESXi variant uses ChaCha8 for file encryption and RSA-4096 for key wrapping — no post-quantum cryptography despite the marketing. The Windows variant, written in Rust, does implement Kyber1024 hybrid encryption as advertised, wrapping AES-256-CTR symmetric keys with post-quantum key encapsulation. Both variants share the same campaign identifier and Tor-based ransom infrastructure. One confirmed victim appears on Kyber’s extortion portal: a multi-billion-dollar American defence contractor and IT services provider. In March 2026 alone, Rapid7 recorded over 900 publicly reported ransomware incidents — Kyber is active and accelerating.
“Kyber ransomware isn’t a masterpiece of complex code, but it is highly effective at causing destruction. It reflects a shift toward specialization over sophistication.” — Rapid7, April 2026
The Vucense 2026 Ransomware Resilience Index
How enterprise infrastructure configurations compare on resilience to the Kyber ransomware attack pattern — rated by Rapid7’s documented TTPs.
| Configuration | ESXi Exposure | Windows Exposure | Backup Recovery Path | Overall Resilience |
|---|---|---|---|---|
| ESXi SSH enabled + no segmentation | Critical | N/A | Destroyed (VSS/Shadow deleted) | 4/100 |
| Windows no immutable backup + vssadmin accessible | N/A | Critical | Destroyed (11 defense-impairment commands) | 6/100 |
| Dual Windows + ESXi, flat network, no segmented backup | Critical | Critical | Total loss | 2/100 |
| ESXi SSH disabled + Veeam off-host + MFA | Moderate | N/A | Recoverable | 61/100 |
| Windows + AppLocker + segregated immutable backup | N/A | Moderate | Recoverable | 64/100 |
| Air-gapped backups + network segmentation + MFA + least privilege | Low | Low | Full recovery path | 89/100 |
Resilience Score methodology: weighted across attack surface reduction (35%), backup recovery viability (35%), detection capability (20%), network segmentation (10%). Scores reflect resilience specifically to Kyber’s documented TTP set per Rapid7’s March 2026 incident response analysis.
Analysis: What Rapid7 Found in the Kyber Incident Response
The March 2026 engagement gave Rapid7 something unusually valuable: both ransomware payloads deployed on the same corporate network at the same time. The coordinated cross-platform deployment — ESXi and Windows simultaneously, sharing a campaign ID and ransom infrastructure — is the defining characteristic of Kyber as a threat. Unlike ransomware groups that specialise in one environment, Kyber’s operators are designed for complete operational blackout: encrypt the hypervisor layer and the file servers at the same time, eliminate all obvious recovery paths, and present the victim with a single ransom negotiation.
The ESXi variant operates as follows. On execution, it enumerates all virtual machines on the infrastructure using the native esxcli tool — the same command-line interface VMware administrators use for legitimate management. It encrypts datastore files, appending the .xhsyw extension to small files under 1 MB (fully encrypted) and intermittently encrypting larger files based on operator configuration. It can optionally terminate running virtual machines before encryption. It then defaces the ESXi management interface — replacing /etc/motd, /usr/lib/vmware/hostd/docroot/index.html, and related management files — so that every administrator who logs in to the ESXi host sees the ransom demand.
The ransom note embedded in the ELF binary claims the variant uses AES-256-CTR and X25519/Kyber1024 algorithms for encryption. Rapid7’s decompilation shows this is false. The actual implementation uses ChaCha8 for file encryption — identical to the standard ChaCha cipher structure specified in RFC 8439, confirmed by the loop execution pattern and the expand 32-byte k sigma constant in the keysetup function. RSA-4096 handles key wrapping. There is no Kyber1024 implementation in the ESXi binary. The operators almost certainly copied the ransom note from the Windows variant without updating the cryptographic claims.
The Windows variant is technically more mature and actually delivers what it claims. Written in Rust, it implements a genuine hybrid encryption scheme: Kyber1024 for key encapsulation (protecting the symmetric key material) and AES-256-CTR for bulk file encryption. The embedded public key validates against the expected Kyber1024 public key size of 1,568 bytes. When executed with elevated privileges, it assigns custom icons to encrypted files by registering the .#~~~ extension, writes files to C:\fucked_icon\, and executes ie4uinit.exe to force immediate display of the new icons across the filesystem without a restart.
The Windows variant’s destruction playbook spans eleven distinct commands to impair defences: it terminates SQL Server, Exchange, and backup services (specifically targeting Veeam); deletes Volume Shadow Copies; disables boot repair; clears Windows Event Logs; wipes the Windows Recycle Bin; and includes an experimental capability to shut down Hyper-V virtual machines. The combination eliminates almost every standard recovery path available to Windows system administrators without a segregated off-host backup.
A notable oddity: the Windows variant’s mutex — used to prevent multiple instances running simultaneously — is set to boomplay[.]com/songs/182988982, which appears to reference a specific song on Boomplay, an African music streaming platform. Rapid7 could not identify the specific track due to geo-restrictions. The choice is unusual and may be a signature element, an inside reference, or simply an arbitrary string the developer found memorable.
The Sovereign Perspective
-
The PQC Deception Signal: The ESXi variant’s false post-quantum claims are significant not as a technical failure but as a threat actor marketing strategy. Ransomware groups are increasingly using post-quantum encryption as a threat amplifier — implying that their encryption cannot be broken even by future quantum computers, and therefore there is no hope of eventual key recovery. The fact that Kyber’s ESXi operators are willing to lie about this reveals that the threat actor understands the psychological value of the PQC claim, even without the technical capability to back it up. The Windows variant’s genuine Kyber1024 implementation shows the operators do have that capability — they simply didn’t finish porting it to the ESXi binary.
-
The Dual-Platform Architecture Risk: Kyber’s dual-deployment model — ESXi and Windows simultaneously, same campaign, same ransom infrastructure — represents a maturation in ransomware tradecraft. When only Windows file servers are encrypted, organisations with properly maintained ESXi snapshots can restore from the hypervisor layer. When only ESXi is encrypted, organisations can often restore Windows file systems from local backups. Kyber targets both layers at once, eliminating the cross-platform recovery path. This is not sophisticated code — it is sophisticated targeting strategy.
-
The Defence Contractor Precedent: The one confirmed victim on Kyber’s extortion portal being described as a multi-billion-dollar American defence contractor and IT services provider is the threat intelligence signal most organisations should internalise. Defence contractors are among the most heavily regulated and security-conscious organisations in the US economy. If Kyber can achieve confirmed data exfiltration against a target in that category, the TTP set is viable against virtually any enterprise organisation that has not specifically hardened against this attack pattern.
The Post-Quantum Encryption Deception: Why It Matters Beyond This Attack
The fact that Kyber’s ESXi variant falsely claims Kyber1024 encryption deserves analysis beyond this specific incident. It reflects a broader trend in ransomware marketing: threat actors are adopting post-quantum terminology specifically because it creates psychological urgency that standard encryption claims no longer produce.
The actual cryptographic state in 2026 is that RSA-4096 — which the ESXi variant genuinely uses for key wrapping — remains computationally secure against any currently operational quantum computer. No quantum computer capable of breaking RSA-4096 at operational speed exists as of April 2026. The threat of “harvest now, decrypt later” attacks — where intercepted encrypted data is stored until a sufficiently powerful quantum computer is built — applies to network traffic and data in transit, not to ransomware payloads where the victim needs to recover files now. A ransomware victim does not benefit from knowing their files might be decryptable in 15 years; they need their data back today.
What the PQC claim actually does is signal to victims that seeking a decryptor from law enforcement or security researchers is pointless. This is the real threat: not that the encryption is quantum-resistant, but that the victim believes it to be, and acts accordingly. For IT teams that understand the actual cryptography involved, the ESXi variant’s false claim is interesting intelligence. For business decision-makers without that background, it is a negotiation-closing lie.
The Windows variant’s genuine Kyber1024 implementation is a different story. Kyber1024 is one of NIST’s standardised post-quantum key encapsulation mechanisms (FIPS 203, finalised August 2024). Using it for key encapsulation rather than file encryption is architecturally correct — Kyber is designed for key agreement, not bulk data encryption. The hybrid scheme (Kyber1024 + AES-256-CTR) matches recommended practice for post-quantum transition cryptography. If and when the Windows variant is fully ported to the ESXi platform, it will represent a genuinely more resilient ransomware strain from a decryption-resistance standpoint.
Technical Indicators of Compromise
The following IOCs are derived from Rapid7’s March 2026 incident response analysis. Add these to your detection rules immediately:
File extensions:
- ESXi encrypted files:
.xhsyw - Windows encrypted files:
.#~~~
Mutex (Windows variant):
boomplay[.]com/songs/182988982
ESXi management defacement targets:
/etc/motd/usr/lib/vmware/hostd/docroot/index.html
Windows variant targeted services (terminated before encryption):
- SQL Server instances
- Microsoft Exchange services
- Veeam backup services
Windows variant defence impairment commands (11 documented):
vssadmin.exe— VSS deletionwmic.exe— WMI abusewevtutil.exe— Event log clearing- Boot repair disabled via
bcdedit
Ransom note infrastructure: Tor-based, shared across ESXi and Windows variants (same campaign ID)
Actionable Steps: Hardening Against the Kyber TTP Set
These steps are prioritised by impact for organisations that have not yet hardened specifically against Kyber’s documented attack pattern.
1. Disable ESXi SSH and ESXi Shell immediately — unless required for maintenance. Kyber’s ESXi variant gains initial access and executes through SSH. esxcli is a native tool — Kyber does not need a custom exploit, it just needs SSH access. Disabling SSH as the default state and re-enabling only for specific maintenance windows is the single highest-impact ESXi hardening action available. Navigate to ESXi host → Manage → Services → SSH → Stop service. Set startup policy to “Start and stop manually.”
2. Implement immutable, off-host backups — today. Kyber’s Windows variant explicitly targets Veeam, SQL Server, and Exchange services before encryption. If your Veeam backup server is reachable from the compromised Windows network segment, Kyber will terminate it. Immutable backups (write-once, verified off-host copies) are the only recovery path that survives this attack pattern. If your backup solution does not currently support immutability, evaluate Veeam Hardened Repository, Wasabi Object Lock, or AWS S3 Object Lock for your backup storage tier.
3. Restrict unprivileged execution of vssadmin.exe, wmic.exe, and wevtutil.exe. These three tools are in Kyber’s documented 11-command defence impairment sequence. Implementing AppLocker or Windows Defender Application Control (WDAC) rules that restrict execution of these binaries to privileged accounts only will break a significant portion of the Windows variant’s post-compromise playbook. This is a one-time configuration change that reduces exposure to dozens of ransomware families, not just Kyber.
4. Add Kyber IOCs to your detection rules right now. The mutex boomplay[.]com/songs/182988982 is a unique, searchable string. Add it to your SIEM, EDR, and network monitoring tools. The file extensions .xhsyw and .#~~~ are unusual enough to be high-confidence detection signals. Monitor ESXi management files /etc/motd and /usr/lib/vmware/hostd/docroot/index.html for unexpected modifications — Kyber defaces these as part of its ransom note delivery.
5. Implement least-privilege access for ESXi environments. Kyber uses native esxcli tooling — no custom exploits required — which means its attack relies on having elevated access to the ESXi host. Enforce least-privilege access for ESXi shell and API, use separate non-admin accounts for day-to-day monitoring, and require MFA for all privileged ESXi access. vSphere’s built-in role-based access control can limit which accounts can execute esxcli commands.
6. Segment your backup network from your production network. Kyber’s cross-platform deployment model — ESXi and Windows simultaneously — requires that the operators can reach both environments from their foothold. Network segmentation that places your backup infrastructure (Veeam servers, backup storage) in a separate network segment with strict ingress controls dramatically limits the blast radius of any ransomware infection that achieves an initial foothold on your production network.
7. Monitor VMware ESXi management interfaces for defacement. Set up active monitoring for changes to ESXi management files. A sudden modification to /etc/motd or the ESXi web interface HTML is a high-confidence indicator that the ESXi host has been compromised and encryption may already be underway. Early detection at this point may not prevent encryption but will enable faster incident response and reduce the window during which additional systems can be compromised.
The Q1 2026 Ransomware Context
Kyber does not operate in isolation. Rapid7 recorded over 900 ransomware incidents publicly reported in March 2026 alone. ZeroFox data shows at least 2,059 separate ransomware and digital extortion incidents across Q1 2026, with the most active groups being Qilin (338 claimed victims), Akira (197), and The Gentlemen (192).
The Gentlemen ransomware-as-a-service operation is separately notable this week: Check Point research revealed a botnet of over 1,570 victims discovered via a SystemBC command-and-control server, indicating the group is operating at a significantly higher level than its public victim count suggests. The Gentlemen uses SystemBC for covert payload delivery alongside Cobalt Strike, following established enterprise intrusion playbooks rather than opportunistic scanning.
The convergence of dual-platform targeting (Kyber), post-quantum encryption marketing (Kyber’s Windows variant), and expanding botnet infrastructure (The Gentlemen) characterises the Q1 2026 ransomware environment as one in which specialisation and operational professionalism are accelerating. The “standard ransomware playbook” — abuse native tools, delete backups, encrypt everything — remains effective precisely because most organisations have not yet implemented the basic hardening steps that would break it.
FAQ: Kyber Ransomware and Post-Quantum Encryption
Q: Does Kyber ransomware actually use post-quantum encryption? Partly. The Windows variant genuinely implements Kyber1024 hybrid encryption — using the NIST-standardised post-quantum key encapsulation mechanism to protect the symmetric encryption key, combined with AES-256-CTR for actual file encryption. The ESXi (Linux) variant falsely claims the same in its ransom note but actually uses ChaCha8 with RSA-4096 key wrapping. Rapid7’s decompilation confirmed this discrepancy.
Q: If the ESXi variant doesn’t use real post-quantum encryption, can files be decrypted without paying? No, in practice. The ESXi variant’s RSA-4096 key wrapping means the decryption key is protected by the attacker’s private RSA key, which only they hold. Without obtaining that private key — either by paying the ransom or from law enforcement action against the operators — file recovery requires restoring from backup. RSA-4096 is not broken by any known current technology, quantum or otherwise.
Q: Who is Kyber ransomware targeting? Based on the one confirmed extortion portal listing, the known confirmed victim is a multi-billion-dollar American defence contractor and IT services provider. The dual-platform deployment model — ESXi and Windows simultaneously — suggests the group targets enterprise organisations with virtualised infrastructure, which implies mid-to-large enterprises across all sectors. The Rust-based Windows variant’s inclusion of an “experimental” Hyper-V shutdown capability suggests the operators are also testing against Microsoft Hyper-V environments.
Q: How does Kyber ransomware get initial access?
The Rapid7 report does not specify the initial access vector for the March 2026 incident. However, the ESXi variant’s reliance on SSH and esxcli suggests that SSH access to the ESXi host was already available, either via stolen credentials, exposed SSH without MFA, or privilege escalation from a compromised Windows machine with ESXi management access. This is consistent with the standard enterprise ransomware playbook: compromise one endpoint, move laterally to high-value infrastructure.
Q: What is Kyber1024 and should I be worried about post-quantum ransomware more broadly? Kyber1024 — now standardised as NIST FIPS 203 (ML-KEM) — is a lattice-based key encapsulation mechanism designed to resist decryption by both classical and quantum computers. Its use in ransomware’s Windows variant means that even if a quantum computer powerful enough to break RSA is eventually built, files encrypted by that variant cannot be decrypted retrospectively. However, this threat is speculative over any near-term (5–10 year) horizon. The immediate danger of Kyber ransomware is operational disruption and data theft today, not quantum-future decryptability. The actionable response is the same regardless: maintain immutable off-host backups that survive ransomware deletion attempts.
Q: Is this related to the NIST post-quantum standard of the same name? The ransomware group named itself “Kyber” — likely in reference to the CRYSTALS-Kyber post-quantum key encapsulation mechanism standardised by NIST. The Windows variant does implement Kyber1024, demonstrating the operators’ awareness of the standard. The naming is deliberate threat branding, designed to signal technical sophistication and create urgency in ransom negotiations. It does not mean the ransomware group developed or has any relationship to the NIST standard itself.
Related Articles
- Post-Quantum Cryptography 2026: How to Protect Your Data Before the Quantum Threat Arrives
- Your AI Agent Is Lying to You — to Protect Another AI
- America Just Banned AI Data Centers — and Your State May Be Next
- Google Gemini Is Scanning Your Photos — and the EU Said No
- Mozilla Thunderbolt: The Open-Source AI Client That Keeps Your Data Off OpenAI’s Servers
