A new Kyber ransomware operation has been observed targeting Windows systems and VMware ESXi endpoints, with Rapid7 analyzing two distinct variants deployed on the same network in March 2026. One variant targets VMware ESXi datastores, encrypts VM files and defaces management interfaces while using ChaCha8 and RSA-4096 despite βpost-quantumβ claims, and the Windows Rust variant implements Kyber1024 for key encapsulation, disables recovery mechanisms, and includes an experimental Hyper-V shutdown feature; #Kyber #VMwareESXi
Keypoints
- Two Kyber variants were found on the same network in March 2026, one targeting VMware ESXi and the other targeting Windows file servers.
- The ESXi variant enumerates VMs, encrypts datastores, and defaces ESXi management interfaces with ransom notes.
- The Linux ESXi encryptor uses ChaCha8 and RSA-4096 despite advertising Kyber1024, while the Windows variant actually implements Kyber1024 and X25519 for key protection.
- The Windows Rust variant appends the β.#~~~β extension, terminates services, deletes backups, kills recovery paths, and includes an experimental Hyper-V shutdown feature.
- Both variants share a campaign ID and Tor-based ransom infrastructure, indicating deployment by the same affiliate to maximize impact.