A new Kyber ransomware operation is targeting Windows systems and VMware ESXi endpoints in recent attacks, with one variant implementing Kyber1024 post-quantum encryption.

BleepingComputer

A new ransomware operation called 'kyber' is targeting Windows file servers and VMware ESXi endpoints, with one variant written in rust implementing kyber1024 post-quantum key encapsulation. Security firm rapid7 analyzed two variants deployed on the same network during an incident response in march 2026. The windows variant uses kyber1024 and x25519 for key protection with aes-ctr for bulk encryption, while the linux/esxi variant falsely advertises post-quantum encryption but actually uses chacha8 and rsa-4096. The windows variant is more mature, deleting backups, shadow copies, disabling boot repair, and including an experimental hyper-v shutdown feature. The only known victim so far is a major american defense contractor.

Kyber ransomware gang toys with post-quantum encryption on Windows