Skip to content
Ransomware group

Kyber

Kyber is a relatively new cross-platform ransomware family targeting Windows file servers and VMware ESXi/Linux environments.

Profile source: Mallory opens in a new tab

Kyber

Family profile

Kyber is a relatively new cross-platform ransomware family targeting Windows file servers and VMware ESXi/Linux environments. Public reporting places activity at least as early as December 2025, with Rapid7 analyzing coordinated Windows and ESXi payloads recovered from the same victim network in March 2026. The two variants shared a campaign ID and Tor-based negotiation/leak infrastructure, suggesting deployment by the same affiliate to maximize impact across server environments.

The Windows variant is a 64-bit Rust-based encryptor. High-confidence analysis indicates it uses AES-256-CTR for bulk file encryption and implements a hybrid key-protection scheme using X25519 and Kyber1024. Encrypted files are renamed with the .#~~~ extension and receive a fixed 0x744-byte trailer containing metadata and keying material; the trailer begins with magic bytes e12fa8c3. The sample analyzed used the ransom note read_me_now.txt / READ_ME_NOW.txt, embedded Kyber-related Rust dependencies, and included a Kyber1024-sized public key in the binary. It also registers encrypted-file handling via HKCR\.#~~~ and HKCR\fucked.file, writes a custom icon to C:\fucked_icon\processed_file.ico, and launches anti-recovery commands including vssadmin, PowerShell/WMI deletion, wmic SHADOWCOPY DELETE, bcdedit, wbadmin, and wevtutil. Additional reported behavior includes terminating services associated with Exchange, VSS, backup, Veeam, SQL, and IIS, deleting shadow copies and backups, disabling recovery settings, clearing event logs, emptying the Recycle Bin, and an experimental Hyper-V shutdown feature.

The ESXi/Linux variant is a 64-bit C++ ELF tailored for VMware environments. It encrypts datastore contents under /vmfs/volumes, can enumerate and optionally terminate virtual machines, drops ransom notes, and can deface ESXi management interfaces including /etc/motd and VMware web UI pages. Encrypted files use the .xhsyw extension. Despite ransom-note claims of AES-256-CTR, X25519, and Kyber1024/ML-KEM, Rapid7 found this variant actually uses ChaCha8 for file encryption and RSA-4096 for key wrapping, with no evidence of real post-quantum cryptography in that sample.

Kyber’s ransom notes claim use of AES-256-CTR with X25519 and Kyber1024 for key generation, and one note gives victims one week to respond. Reporting and analysis indicate the operation has emphasized post-quantum branding, likely as intimidation or marketing, but only the Windows variant was confirmed to implement the advertised Kyber1024 path. Known infrastructure in the analyzed reporting includes the Tor chat portal mlnmlnnrdhcaddwll4zqvfd2vyqsgtgj473gjoehwna2v4sizdukheyd[.]onion and leak/blog site kyblogtz6k3jtxnjjvluee5ec4g3zcnvyvbgsnq5thumphmqidkt7xid[.]onion. As of April 22, 2026, public reporting cited one listed victim described as a large American defense contractor and IT services provider. Overall, Kyber is characterized as a specialized ransomware tool designed to cause severe operational disruption by simultaneously targeting Windows and virtualization infrastructure.

Ransomware.live

Operational record

View group record ↗

MITRE ATT&CK

Kyber in ATT&CK

5 distinct techniques

Reporting

Research mentioning Kyber

May 15
Cyfirma Other

TRACKING RANSOMWARE : APRIL 2026 - CYFIRMA

The Kyber ransomware operation, attributed to a threat actor (affiliate within the Kyber ransomware group), demonstrates a clear progression toward cryptographic diversification and cross-environment targeting.

Apr 26
Derp Ca

Kyber ransomware is not just post-quantum name-dropping | Derp

Hello, if you are seeing this then you have been attacked by Kyber Ransomware. <=> Your files are encrypted with the AES-256-CTR algorithm. <=> Two asymmetric algorithms X25519 and Kyber1024 were used for key generation.

Apr 24
Blueteamsec

Kyber Ransomware Double Trouble: Windows and ESXi Attacks Explained - Infosec.Pub

Organizations should treat Kyber not merely as another ransomware strain, but as a specialized tool capable of causing a complete operational blackout. Public technical analysis of Kyber malware remains limited, presenting an opportunity to share Rapid7's findings with the community.

Apr 23
Arstechnica Security

In a first, a ransomware family is confirmed to be quantum-safe - Ars Technica

The Kyber ransom note gives victims one week to respond. A Kyber variant that targets systems running VMware, meanwhile, claims to use ML-KEM as well.

Apr 23
Scworld

Kyber ransomware targets Windows and ESXi with post-quantum encryption claims | brief | SC Media

Bleeping Computer disclosed that a new Kyber ransomware operation is actively targeting both Windows systems and VMware ESXi endpoints, with one variant notably implementing Kyber1024 post-quantum encryption.

Apr 22
Bleeping Computer

Kyber ransomware gang toys with post-quantum encryption on Windows

A new Kyber ransomware operation is targeting Windows systems and VMware ESXi endpoints in recent attacks, with one variant implementing Kyber1024 post-quantum encryption.

Apr 21
The Hacker News

SystemBC C2 Server Reveals 1,570+ Victims in The Gentlemen Ransomware Operation

The findings come as Rapid7 highlighted the inner workings of another relatively new ransomware family called Kyber that surfaced in September 2025, targeting Windows and VMware ESXi infrastructures using encryptors developed in Rust and C++, respectively.

Apr 21
Rapid7

Kyber Ransomware Double Trouble: Windows and ESXi Attacks Explained

Kyber is a cross-platform ransomware family targeting Linux/ESXi and Windows environments. Both variants share Tor infrastructure and a campaign ID, but differ in programming language they are written, crypto, and features.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.