A new Kyber ransomware operation is targeting Windows systems and VMware ESXi endpoints using advanced encryption techniques, according to bleepingcomputer.com.
Cybersecurity firm Rapid7 analyzed two distinct Kyber variants discovered during an incident response in March 2026. One variant specifically targets VMware ESXi environments, while the other focuses on Windows file servers.
Both variants share a single campaign ID and use the same Tor-based ransom infrastructure. This suggests a single ransomware affiliate deployed them simultaneously to maximize impact across a network.
"The ESXi variant is specifically built for VMware environments, with capabilities for datelastore encryption, optional virtual machine termination, and defacement of management interfaces," Rapid7 reported.
BleepingComputer found one confirmed victim on the Kyber extortion portal: a multi-billion-dollar American defense contractor and IT services provider.
Encryption claims and technical mechanics
While the ransomware advertises 'post-quantum' encryption, the effectiveness of this claim varies by platform. For the Linux-based ESXi encryptor, Rapid7 found the post-quantum claims to be false.
The Linux version uses ChaCha8 for file encryption and RSA-4096 for key wrapping. It handles files differently based on size, encrypting small files under 1 MB in full, while files larger than 4 MB are only intermittently encrypted.
However, the Windows variant, written in Rust, does implement Kyber1024 and X25519 for key protection. In this version, Kyber1024 protects the symmetric key material while AES-CTR handles the bulk data encryption.
Despite the sophisticated math, the use of post-quantum cryptography does not change the outcome for victims. Files remain unrecoverable without the attacker's private key, regardless of whether RSA or Kyber1024 is used.
The Windows variant is highly destructive, appending a '.#~~~' extension to encrypted files. It is designed to eliminate recovery paths by deleting shadow copies, wiping the Recycle Bin, and clearing event logs.
This version also includes an experimental feature for targeting Hyper-V and is capable of terminating SQL, Exchange, and backup services. The Windows variant appears more technically mature than its ESXi counterpart, which currently lacks several of these advanced features.
