A new Kyber ransomware campaign targets Windows servers and VMware ESXi hosts, with one variant claiming to use Kyber1024 post‑quantum cryptography. Analysis by Rapid7 shows the claim is only partially true, while the malware employs a mix of modern and classic techniques to maximize damage.
In March 2026, cybersecurity firm Rapid7 responded to an incident affecting a large American defense contractor and discovered two distinct Kyber ransomware variants operating on the same network. One variant was built for VMware ESXi environments, the other for Windows file servers. Both share a campaign ID and use the same Tor‑based ransom portal, indicating a single affiliate behind the attacks.
The ESXi variant enumerates all virtual machines on the host, encrypts datastore files, and then defaces the management interface with a ransom note that guides victims through payment and recovery. For files smaller than 1 MB the ransomware encrypts the entire content and appends the extension .xhsyw. Files between 1 MB and 4 MB have only the first megabyte encrypted, while larger files are encrypted intermittently based on a configurable pattern. The underlying cryptography uses ChaCha8 for bulk data encryption and RSA‑4096 for wrapping the symmetric key, despite the ransom note’s reference to post‑quantum algorithms.
The Windows variant is written in Rust and includes a self‑described experimental feature that attempts to shut down Hyper‑V virtual machines. It terminates services such as SQL, Exchange, and backup agents, deletes shadow copies, disables boot repair, clears event logs, and wipes the Recycle Bin to remove common recovery paths. Files receive the extension .#~~~ after encryption. The ransomware uses Kyber1024 to protect the AES‑CTR session key, while the actual data encryption relies on AES‑CTR. X25519 is also employed for additional key protection.
Rapid7 notes that the claim of post‑quantum encryption is accurate only for the Windows variant’s key protection mechanism; the ESXi variant does not use Kyber1024 at all. In both cases, the inability to recover files stems from the attacker’s exclusive control of the private key, meaning that swapping RSA for Kyber1024 does not change the outcome for victims. The mutex string observed in the Windows binary appears to reference a track from the Boomplay music platform, an unusual choice that may serve as a harmless marker or a covert identifier.
Organizations running VMware ESXi should ensure that hypervisor patches are applied promptly and that datastore backups are stored offline. Windows administrators are advised to disable unnecessary services, enforce least‑privilege accounts, and maintain immutable backups that are not accessible from the infected network. Monitoring for the creation of files with the .xhsyw or .#~~ extensions can provide early detection of Kyber activity.
The Kyber campaign illustrates how ransomware operators continue to experiment with emerging cryptographic primitives while relying on proven destructive tactics. While the use of Kyber1024 draws attention, the real danger lies in the ransomware’s ability to erase recovery options and pressure victims into paying. Defenses that focus on backup integrity, privilege restriction, and rapid patching remain the most effective countermeasures.
Comments
Please log in or register to join the discussion