top of page
perceptive_background_267k.jpg

Kyber ransomware gang toys with post-quantum encryption on Windows

Published:

22 april 2026 om 18:52:29

Alert date:

22 april 2026 om 19:00:56

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Ransomware & Malware, Operating Systems, Cloud & Virtualization

A new Kyber ransomware operation is actively targeting Windows systems and VMware ESXi endpoints in recent attacks. One variant of this ransomware implements Kyber1024 post-quantum encryption, representing an evolution in ransomware encryption techniques. The gang is conducting ongoing attacks against enterprise infrastructure including virtualization platforms. This represents a concerning development as ransomware groups begin adopting advanced cryptographic methods. The attacks target both Windows workstations and critical virtualization infrastructure.

Technical details

Kyber ransomware operation targets Windows systems and VMware ESXi endpoints with two distinct variants. ESXi variant built for VMware environments with datastore encryption, VM termination, and management interface defacement capabilities. Windows variant written in Rust includes experimental Hyper-V targeting. ESXi version uses ChaCha8 for file encryption and RSA-4096 for key wrapping despite claiming post-quantum encryption. Windows variant implements actual Kyber1024 and X25519 for key protection with AES-CTR for bulk data encryption. ESXi variant encrypts files with '.xhsyw' extension, Windows variant uses '.#~~~' extension. Both share same campaign ID and Tor-based ransom infrastructure. Encryption behavior varies by file size: small files (<1MB) encrypted fully, 1-4MB files have first MB encrypted, larger files intermittently encrypted.

Mitigation steps:

Implement comprehensive backup strategies with offline copies, monitor for file encryption activities, secure virtualization infrastructure, implement network segmentation to prevent lateral movement, monitor for service termination and shadow copy deletion activities, secure SQL and Exchange services

Affected products:

Windows
VMware ESXi
Hyper-V
SQL Server
Microsoft Exchange

Related links:

https://www.rapid7.com/blog/post/tr-kyber-ransomware-double-trouble-windows-esxi-attacks-explained/
https://www.bleepingcomputer.com/news/security/kyberslash-attacks-put-quantum-encryption-projects-at-risk/

Related CVE's:

Related threat actors:

IOC's:

.xhsyw file extension, .#~~~ file extension, ChaCha8 encryption, RSA-4096 key wrapping, Kyber1024 encryption, AES-CTR encryption, Tor-based ransom infrastructure

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page