223/69 Friday, April 24, 2026
A new ransomware group known as Kyber has been observed targeting critical enterprise infrastructure, particularly servers running on Windows and VMware ESXi. A major U.S.-based defense contractor and IT services provider has reportedly already fallen victim. The attackers use a Tor-based leak site called “Wall of Wonders” to pressure victims by threatening to publish stolen sensitive data if ransom demands are not met.
A notable technical aspect of Kyber is its claimed use of the Kyber1024 encryption standard, a post-quantum cryptographic algorithm designed to resist decryption by quantum computers. According to analysis by Rapid7, the Windows variant-written in Rust-does incorporate this technology alongside X25519 to protect encryption keys. However, the Linux ESXi version appears to exaggerate its capabilities, as it still relies on traditional algorithms such as RSA-4096 and ChaCha8 for file encryption. Additionally, the malware includes experimental features that allow it to directly shut down virtual machines (VMs) on Hyper-V systems, enabling simultaneous encryption across network environments.
In terms of impact, Kyber is designed to completely eliminate recovery options for victims. It deletes Shadow Copies, disables boot repair mechanisms, terminates SQL and Exchange services, clears event logs, and empties system recycle bins to remove evidence. While the adoption of post-quantum cryptography represents an advanced technical evolution in ransomware, the outcome for victims remains the same: files are effectively unrecoverable without the attacker’s decryption key. As such, organizations are strongly advised to maintain offline backups and implement proactive security measures to defend against increasingly sophisticated cyber threats.