Kyber

Kyber is a relatively new cross-platform ransomware family targeting Windows file servers and VMware ESXi/Linux environments. Public reporting places activity at least as early as December 2025, with Rapid7 analyzing coordinated Windows and ESXi payloads recovered from the same victim network in March 2026. The two variants shared a campaign ID and Tor-based negotiation/leak infrastructure, suggesting deployment by the same affiliate to maximize impact across server environments.

The Windows variant is a 64-bit Rust-based encryptor. High-confidence analysis indicates it uses AES-256-CTR for bulk file encryption and implements a hybrid key-protection scheme using X25519 and Kyber1024. Encrypted files are renamed with the .#~~~ extension and receive a fixed 0x744-byte trailer containing metadata and keying material; the trailer begins with magic bytes e12fa8c3. The sample analyzed used the ransom note read_me_now.txt / READ_ME_NOW.txt, embedded Kyber-related Rust dependencies, and included a Kyber1024-sized public key in the binary. It also registers encrypted-file handling via HKCR.#~~~ and HKCR\fucked.file, writes a custom icon to C:\fucked_icon\processed_file.ico, and launches anti-recovery commands including vssadmin, PowerShell/WMI deletion, wmic SHADOWCOPY DELETE, bcdedit, wbadmin, and wevtutil. Additional reported behavior includes terminating services associated with Exchange, VSS, backup, Veeam, SQL, and IIS, deleting shadow copies and backups, disabling recovery settings, clearing event logs, emptying the Recycle Bin, and an experimental Hyper-V shutdown feature.

The ESXi/Linux variant is a 64-bit C++ ELF tailored for VMware environments. It encrypts datastore contents under /vmfs/volumes, can enumerate and optionally terminate virtual machines, drops ransom notes, and can deface ESXi management interfaces including /etc/motd and VMware web UI pages. Encrypted files use the .xhsyw extension. Despite ransom-note claims of AES-256-CTR, X25519, and Kyber1024/ML-KEM, Rapid7 found this variant actually uses ChaCha8 for file encryption and RSA-4096 for key wrapping, with no evidence of real post-quantum cryptography in that sample.

Kyber’s ransom notes claim use of AES-256-CTR with X25519 and Kyber1024 for key generation, and one note gives victims one week to respond. Reporting and analysis indicate the operation has emphasized post-quantum branding, likely as intimidation or marketing, but only the Windows variant was confirmed to implement the advertised Kyber1024 path. Known infrastructure in the analyzed reporting includes the Tor chat portal mlnmlnnrdhcaddwll4zqvfd2vyqsgtgj473gjoehwna2v4sizdukheyd[.]onion and leak/blog site kyblogtz6k3jtxnjjvluee5ec4g3zcnvyvbgsnq5thumphmqidkt7xid[.]onion. As of April 22, 2026, public reporting cited one listed victim described as a large American defense contractor and IT services provider. Overall, Kyber is characterized as a specialized ransomware tool designed to cause severe operational disruption by simultaneously targeting Windows and virtualization infrastructure.