A new ransomware operation called Kyber is targeting both Windows and VMware ESXi environments, with the Windows variant implementing Kyber1024 post-quantum encryption while the ESXi version relies on traditional RSA-4096. Rapid7 analyzed two distinct variants deployed on the same network during an incident response in March 2026, sharing identical campaign IDs and Tor-based ransom infrastructure. The ESXi variant encrypts datastore files, terminates virtual machines, and defaces management interfaces with ransom notes.
The Linux ESXi encryptor uses ChaCha8 for file encryption and RSA-4096 for key wrapping despite advertising post-quantum capabilities, processing files differently based on size thresholds. Small files under one megabyte receive full encryption, while larger files receive either partial or intermittent encryption based on operator configuration. The Windows variant, written in Rust, genuinely implements Kyber1024 and X25519 for key protection alongside AES-CTR for bulk data encryption, appending the extension to encrypted files.
The Windows malware terminates services, deletes shadow copies, disables boot repair, kills SQL and Exchange processes, clears event logs, and wipes the Recycle Bin. It also includes an experimental feature to shut down Hyper-V virtual machines. The group's data extortion portal lists a multi-billion-dollar American defense contractor among its victims. Despite the notable use of post-quantum cryptography in the Windows variant, victims cannot recover files without the attackers' private key regardless of the encryption method used. The ESXi variant appears less mature than its Windows counterpart, lacking several features.
Read more...