Kyber Ransomware And The Post-Quantum Illusion
Ransomware operators adopt whatever creates the most pressure on victims. This may mean faster encryption, stronger extortion tactics, or deeper attacks on virtual infrastructure. In 2026, the Kyber ransomware group added a new layer of psychological and technical pressure by claiming to use post-quantum encryption.
That claim quickly attracted attention, suggesting that attackers were preparing for a future in which traditional cryptography would fail. In reality, Kyber ransomware presents a more complicated story: genuine post-quantum techniques exist, but so do misleading marketing and highly effective operational disruption.
Kyber is a cross-platform ransomware family that targets both Windows systems and VMware ESXi environments. Its dual-platform deployment is especially dangerous. Attackers can simultaneously strike core Windows file servers and the virtualization infrastructure that supports entire enterprise environments.
During a March 2026 incident, researchers recovered both payloads inside the same victim network. This confirmed that the same affiliate deployed them in coordination. The approach increases the risk of complete business disruption rather than just isolated system outages. Rapid7 noted that organizations should treat Kyber as a specialized tool capable of causing a complete operational blackout, not just another ransomware strain.
The ransomware's name itself causes confusion. 'Kyber' is also the name of CRYSTALS-Kyber, a well-known post-quantum cryptographic algorithm for quantum-resistant key exchange. CRYSTALS-Kyber was designed to resist attacks from future quantum computers that could break RSA and elliptic curve cryptography.
It has become important in the move toward post-quantum cryptography. The algorithm provides efficient key encapsulation and strong security based on lattice problems. The project's goal was never ransomware. It focused on long-term cryptographic resilience for legitimate systems facing the 'harvest now, decrypt later' threat model.
Kyber ransomware abuses that name for effect, as reported in a recent Rapid7 publication. By claiming to use post-quantum encryption in ransom notes, operators create the impression that victims face a mathematically unbreakable attack enabled by next-generation cryptography. This matters because ransomware negotiations rely on perception. If defenders believe recovery is impossible without the attacker's key, the pressure to pay increases.
However, Rapid7's analysis showed the Linux and ESXi variant did not use the advertised Kyber1024 encryption model. It used ChaCha8 for file encryption and RSA-4096 for key wrapping. Researchers found no true post-quantum implementation in that variant. The operators likely copied a ransom note from the Windows version and reused it for intimidation.
This discrepancy highlights a truth about modern ransomware: threat actors use cryptographic branding as much as cryptographic engineering. The ESXi variant markets itself as advanced post-quantum malware, but its real strength is operational targeting rather than encryption novelty. It is built for VMware environments and focuses on data store encryption, optional virtual machine termination, and management interface defacement.
Before encryption, the malware replaces the ESXi message-of-the-day file and modifies the VMware web management pages. Administrators see ransom notes immediately when logging in via SSH or through the browser. This ensures the victim sees the attacker's message at every administrative entry point.
Kyber Ransomware's Double Trouble
Kyber's encryption strategy prioritizes speed over completeness. It fully encrypts small files under 1 MB. It encrypts only the first megabyte of medium files. Larger files are partially encrypted according to operator-defined percentages. This allows the malware to cripple large virtual machine disks quickly without encrypting every byte. Even partial corruption can make large VMDK files unusable and halt business operations. The ransomware also creates metadata markers and backup structures to track progress and avoid duplicate work, increasing reliability during attack execution.
The Windows variant tells a different story. Unlike the ESXi sample, this payload genuinely implements its claims. Written in Rust, it uses a hybrid encryption model. It relies on AES-256-CTR for file encryption, Kyber1024 for post-quantum key encapsulation, and X25519 for key exchange.
The malware checks the embedded public key against the expected Kyber1024 size, confirming intentional implementation. This means the Windows encryptor introduces legitimate post-quantum cryptography into ransomware operations. It is one of the earliest real-world examples of attackers using this approach at scale.
The Windows payload also shows strong engineering beyond cryptography. It builds a custom entropy pipeline using system time, Windows cryptographic APIs, RDRAND processor randomness, and process-level data. These seeds have an internal AES-CTR deterministic random bit generator.
Most ransomware relies on the operating system's built-in randomness. Kyber's developers appear to care deeply about the quality of their key material. That attention suggests a deliberate attempt to avoid weak implementation errors that could undermine extortion.
Its destructive behavior extends far beyond encryption. With elevated privileges, the malware executes eleven commands designed to eliminate recovery paths and frustrate incident response.
- It deletes Volume Shadow Copies using WMI, WMIC, and vssadmin
- It disables Windows recovery options and boot failure prompts
- It removes system state backups
- It stops the IIS services to release locked files
- It clears all Windows event logs
- It empties the recycle bin and modifies registry values to improve SMB concurrency
These actions strip defenders of recovery mechanisms and forensic visibility. Even if backups exist, attackers make local restoration significantly harder.
The ransomware also includes an experimental Hyper-V targeting feature. When enabled, it uses PowerShell commands like Get-VM and Stop-VM -Force -TurnOff to perform hard shutdowns of virtual machines before encryption. This mirrors the ESXi strategy. Its goal is to remove file locks, disable operational continuity, and make the virtual infrastructure unusable. Whether the environment runs VMware or Hyper-V, the objective remains the same: maximize downtime and force quick executive decisions.
The broader cybersecurity significance of the Kyber ransomware lies in its timing. Organizations are already preparing for post-quantum migration as quantum computing threatens traditional encryption standards. The security community has focused on protecting legitimate systems against future decryption risks.
Attackers now use the same narrative offensively. Even when the implementation is partial or inconsistent, 'post-quantum encryption' changes boardroom conversations. It turns a ransomware incident from an operational emergency into a perceived cryptographic dead end.
That perception matters. Executives do not negotiate with algorithms; they negotiate with consequences. If virtualization platforms fail, backups disappear, and security teams believe the encryption cannot be reversed, pressure to pay rises. Kyber's success does not depend only on Kyber1024. It relies on synchronized attacks across Windows and ESXi, anti-recovery controls, interface defacement, and fear of quantum-safe criminal encryption.
Defenders should focus less on post-quantum branding novelty and more on practical resilience. Immutable backups, segmented infrastructure, privileged access controls, and monitoring for VMware defacement or mass shadow copy deletion remain most important. Restricting utilities such as vssadmin, wmic, and wevtutil can reduce damage during attacks. Security teams should treat cryptographic claims as secondary. The attacker's true objective is total operational paralysis.
Kyber ransomware proves the future of ransomware is not just stronger encryption—it is stronger narrative control. The attackers know fear scales faster than malware. By blending real post-quantum cryptography with exaggerated claims and targeted infrastructure disruption, they create a threat that feels both technically advanced and psychologically overwhelming. Whether the encryption is truly post-quantum or just posturing, the business impact stays immediate, expensive, and very real.
Share:
Facebook
X.com
LinkedIn
Copy Link
Karolis Liucveikis
Experienced software engineer, passionate about behavioral analysis of malicious apps
Author and general operator of PCrisk's News and Removal Guides section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over 8 years working in this branch. He attended Kaunas University of Technology and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications.
PCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
DonatePCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
Donate
▼ Show Discussion