Kyber Ransomware Uses Post‑Quantum Encryption to Target Windows File Servers and VMware ESXi, Impacts Defense Contractor
What Happened – In March 2026 Rapid7 observed two Kyber ransomware variants: one encrypting Windows file servers (written in Rust) and another attacking VMware ESXi hosts. The Windows variant employs Kyber1024 key‑encapsulation and X25519 for key protection, while the ESXi variant uses ChaCha8 and RSA‑4096. Both encryptors delete backups, shadow copies, and services, and the campaign is linked to a multi‑billion‑dollar U.S. defense contractor listed on the Kyber extortion portal.
Why It Matters for TPRM –
- Ransomware that leverages emerging post‑quantum cryptography may evade traditional decryption tools, extending dwell time.
- The attack spans both physical and virtual infrastructure, increasing supply‑chain exposure for vendors that host or manage VMs.
- A high‑profile defense contractor victim signals potential targeting of other critical‑infrastructure suppliers.
Who Is Affected – Government & defense contractors, IT services providers, cloud‑hosting and virtualization service vendors.
Recommended Actions –
- Verify that all third‑party vendors enforce immutable backup strategies and offline storage.
- Conduct a cryptographic‑tool audit to ensure decryption capabilities for both classic and post‑quantum algorithms.
- Review and harden VMware ESXi and Hyper‑V configurations, disabling unnecessary remote management interfaces.
Technical Notes – The ESXi variant enumerates VMs, encrypts datastore files, and defaces the management UI; it uses ChaCha8 for bulk encryption and RSA‑4096 for key wrapping. The Windows variant encrypts files with AES‑CTR, protects the symmetric key with Kyber1024/Kyber‑KEM and X25519, and appends “.#~~~” to encrypted files. Both variants delete shadow copies, kill SQL/Exchange/backup services, and may terminate VMs. Source: BleepingComputer