A new ransomware operation known as Kyber has emerged as a significant threat to enterprise environments, targeting both Windows systems and VMware ESXi endpoints in coordinated attacks. The campaign has drawn attention for its use of advanced encryption techniques, including a Windows variant that incorporates Kyber1024 post-quantum cryptography, signaling an evolution in ransomware capabilities.

The operation was identified by cybersecurity firm Rapid7, which analyzed two distinct Kyber variants discovered during an incident response in March 2026. Both variants were deployed within the same compromised network, with one specifically designed for VMware ESXi infrastructure and the other focused on Windows-based file servers. The dual deployment indicates a deliberate strategy to maximize disruption by encrypting multiple layers of enterprise infrastructure simultaneously.

The ESXi variant is tailored for virtualized environments, enabling attackers to enumerate virtual machines, encrypt datastore files, and optionally terminate virtual machines. It also defaces ESXi management interfaces with ransom notes, effectively locking administrators out while directing them toward ransom payment instructions. This approach highlights the increasing focus of ransomware groups on hypervisor-level attacks, where a single breach can impact entire virtual environments.

In contrast, the Windows variant – developed in Rust -demonstrates a higher level of technical sophistication. It includes features such as service termination, backup deletion, and an experimental capability to target Hyper-V virtual machines. The malware is designed to eliminate recovery options by deleting shadow copies, disabling boot repair mechanisms, terminating critical services like SQL and Exchange, and clearing system logs to hinder forensic analysis.

While the Kyber operation promotes the use of post-quantum encryption, findings reveal a more nuanced implementation. The ESXi variant does not actually utilize Kyber encryption despite such claims, instead relying on ChaCha8 for file encryption and RSA-4096 for key protection. File encryption behavior varies by size, with smaller files fully encrypted and larger files partially or intermittently encrypted to optimize attack speed.

The Windows variant, however, does incorporate Kyber1024 alongside X25519 for securing encryption keys, while using AES-CTR for bulk data encryption. Despite the introduction of post-quantum cryptography, experts note that the practical impact on victims remains unchanged – files cannot be recovered without access to the attackers’ private keys, regardless of the encryption method used.

Encrypted files differ by platform, with the ESXi variant appending a “.xhsyw” extension and the Windows variant using “.#~~~”. Both variants share the same campaign ID and Tor-based ransom infrastructure, confirming that they are operated by a single affiliate seeking to maximize attack efficiency across environments.

At the time of reporting, only one victim has been listed on Kyber’s data extortion portal – a major U.S.-based defense contractor and IT services provider – suggesting that the campaign may still be in its early stages or operating selectively.

The emergence of Kyber underscores a growing trend in ransomware development: combining cross-platform targeting with advanced cryptographic techniques and aggressive system disruption tactics. As threat actors continue to refine their methods, organizations face increasing pressure to secure both traditional systems and virtualized infrastructure against coordinated, multi-layered attacks.

Recommended Cyber Technology News :

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com