Kyber ransomware ships dual ESXi/Windows payloads, fakes post-quantum crypto on Linux

Rapid7 analyzed two Kyber ransomware variants deployed in tandem during a March 2026 incident, with one targeting VMware ESXi and a Rust-built sibling hitting Windows file servers. Shared campaign IDs and Tor infrastructure point to a single affiliate trying to detonate everything at once for maximum leverage. The only named victim so far is a multi-billion-dollar US defense contractor and IT services provider.

The operation markets itself on Kyber1024 post-quantum key encapsulation, but the marketing only matches the code on Windows. There, Kyber1024 paired with X25519 wraps an AES-CTR symmetric key. The Linux ESXi encryptor lies — it uses RSA-4096 to wrap a ChaCha8 file key, with size-tiered encryption (full under 1MB, partial up to 4MB, intermittent above). Either way the recovery story is identical: no attacker private key, no files.

The Windows build is the more mature artifact. It enumerates and shuts down Hyper-V VMs as an “experimental” feature, appends a .#~~~ extension, and aggressively closes recovery paths — deleting shadow copies, disabling boot repair, killing SQL/Exchange/backup services, clearing event logs, and emptying the Recycle Bin. The ESXi variant focuses on datastore encryption, optional VM termination, and defacing management interfaces with ransom notes. One oddity: the Windows mutex name references a track on the Boomplay music platform.