A newly observed ransomware group calling itself Kyber has been targeting Windows file servers and VMware ESXi virtual machines, encrypting files and demanding payment for a decryption key. The group has advertised its operation as using “post-quantum” encryption — specifically a cryptographic scheme called Kyber1024 — in what appears to be an effort to make recovery seem impossible without paying.
Security researchers at Rapid7 who responded to actual Kyber incidents in March 2026 found that the post-quantum claim is overstated. While the Windows variant, written in Rust, does include experimental Kyber1024 key encapsulation, the Linux variant targeting VMware actually relies on standard ChaCha8 file encryption and RSA-4096 key wrapping — both well-established algorithms with no quantum component. Still, the ransomware encrypts files effectively and has disrupted real organizations. Both variants are deployed by the same affiliate on the same network simultaneously to maximize the damage, locking down both Windows file servers and virtual machines at once.