ZCyberNews
中文
MalwareHigh2 min readKyber

Kyber Ransomware Deploys Post-Quantum Encryption in Attacks

The Kyber ransomware gang is using a variant that implements Kyber1024 post-quantum encryption to target Windows and VMware ESXi systems, according to a BleepingComputer analysis.

Kyber Ransomware Deploys Post-Quantum Encryption in Attacks

Executive Summary

A new ransomware operation tracked as Kyber is deploying dual payloads against Windows systems and VMware ESXi hypervisors. One variant of the ransomware is notable for its experimental use of the Kyber1024 post-quantum cryptographic algorithm for file encryption, a rare feature in current ransomware campaigns.

Technical Analysis

According to analysis by BleepingComputer, the Kyber ransomware gang distributes separate payloads for Windows and Linux (targeting ESXi). The Windows variant is written in Rust and uses a combination of symmetric and asymmetric encryption. While it primarily employs the more common ChaCha20 and RSA algorithms, one specific sample was found to integrate the Kyber1024 key encapsulation mechanism (KEM) for key exchange. This implementation appears to be a test, as the sample still relies on RSA for the actual encryption key transport. The ransomware also attempts to terminate a list of over 200 processes and services related to databases, backups, and security software before encrypting files with a .kyber extension.

Tactics, Techniques & Procedures

The ransomware employs techniques to hinder recovery and defense. It terminates processes and services to ensure files are not locked during encryption. For ESXi targets, the Linux variant is deployed to encrypt virtual machine files. The use of a post-quantum algorithm, even if not fully operational in the analyzed sample, indicates the actors are experimenting with advanced cryptographic evasion.

Threat Actor Context

The threat actor behind this campaign is identified as the "Kyber" ransomware operation. There is no clear attribution to a known nation-state or established cybercrime group in the available source material. The operation's focus on both Windows and VMware ESXi aligns with a broader ransomware trend targeting virtualization infrastructure for maximum impact.

Mitigations & Recommendations

Organizations should ensure robust, offline backups of critical systems, particularly VMware ESXi servers and virtual machine data. Security teams should monitor for attempts to terminate large numbers of processes related to backups and databases, which is a common precursor to ransomware encryption. Applying the principle of least privilege and segmenting networks can help limit lateral movement.

Stay Updated

Get the latest cybersecurity news delivered to your inbox.

Tags:#ransomware#encryption#windows#vmware#threat-intel#kyber

Related Articles

Kyber Ransomware Deploys Dual Payloads for Windows and VMware ESXiHIGH
Malware

Kyber Ransomware Deploys Dual Payloads for Windows and VMware ESXi

Kyber ransomware deploys two distinct payloads to encrypt both Windows systems and VMware ESXi servers, using a custom tool to wipe ESXi snapshots and hinder recovery. The attack chain begins with compromised RDP credentials.

3 min readKyber
The Gentlemen Ransomware Deploys Dual Lockers for Windows, Linux, and VMwareHIGH
Malware

The Gentlemen Ransomware Deploys Dual Lockers for Windows, Linux, and VMware

The Gentlemen ransomware-as-a-service operation has infected over 320 victims, deploying separate encryptors for Windows/Linux and VMware ESXi systems to maximize disruption and ransom pressure on enterprise networks.

3 min readThe Gentlemen
CISA, FBI Warn of LummaC2 Infostealer Targeting OrgsHIGH
Malware

CISA, FBI Warn of LummaC2 Infostealer Targeting Orgs

CISA and FBI joint advisory details LummaC2 infostealer TTPs and IOCs: malware steals credentials, crypto wallets, and session data from compromised networks.

2 min readLummaC2