Kyber ransomware is not just post-quantum name-dropping
Kyber ransomware is a Rust-based Windows malware that uses genuine hybrid post-quantum cryptography for file encryption, combining AES-256-CTR with Kyber1024 and X25519 for key protection. It appends a fixed-size encrypted metadata trailer and marks encrypted files with a . #~~~ extension. Analysis confirmed the cryptographic implementation is valid, but no practical recovery method from the sample alone exists. The ransomware targets multiple file types and employs standard techniques to inhibit recovery. A separate ESXi variant with different cryptography exists under the same branding. As of April 2026, a large American defense contractor and IT services provider was publicly identified as a victim. No known exploits in the wild or patches are available.
AI Analysis
Technical Summary
Kyber ransomware implements authentic hybrid post-quantum cryptography rather than using the name for branding only. The Windows variant encrypts files using AES-256-CTR and protects keys with Kyber1024 and X25519 algorithms, appending a 0x744-byte encrypted metadata trailer. Instrumented analysis validated the cryptographic operations through fixture decryption but found no practical way to recover files from the sample alone. It targets multiple file types and uses standard recovery-inhibition techniques, marking encrypted files with a distinctive .#~~~ extension. A separate ESXi variant exists but uses different cryptographic methods despite similar branding. The ransomware was publicly linked to a large American defense contractor and IT services provider as a victim in April 2026. No CVE or patch information is available, and no known exploits in the wild have been reported.
Potential Impact
The ransomware encrypts victim files with strong hybrid post-quantum cryptography, making recovery without the decryption key impractical based on current analysis. It disrupts normal file access by appending encrypted metadata and changing file extensions. The use of advanced cryptographic algorithms suggests a high level of technical sophistication, potentially increasing the difficulty of incident response and recovery. The public identification of a large American defense contractor and IT services provider as a victim indicates targeting of high-value organizations. No known exploits or patches exist, so affected systems remain vulnerable to data encryption and operational disruption.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch is available, mitigation should focus on standard ransomware defenses such as maintaining offline backups, restricting access to critical systems, and monitoring for indicators of compromise including the provided hashes and onion domains. Incident response teams should be prepared for complex recovery scenarios due to the advanced cryptography used. No vendor advisory indicates that the threat is already mitigated or requires no action.
Indicators of Compromise
- domain: kyblogtz6k3jtxnjjvluee5ec4g3zcnvyvbgsnq5thumphmqidkt7xid.onion
- hash: 18498b1ff111ee9d9a037c280f75b720
- hash: 0e9a47782e39741a2c161bf639252d33ad3a428a
- hash: 4ed176edb75ae2114cda8cfb3f83ac2ecdc4476fa1ef30ad8c81a54c0a223a29
- hash: df2dba375800d76695d5ca37e5c72a50
- hash: f9e1d038b1f5220e888b56e97881937f
- hash: 1b66614d63ce9f1b0b9f68464a93d826a3af7e08ccadcbc662f8444f0eaab6b9
- hash: 5a5f2bfea416f4b9ed4e6e45d82df524c1d9fa5f99c08944f2bacdf5bf9f525d
- hash: ef054d22823758290db94aab3c901471a9ebd633f94963030806cc68dd433d8d
- hash: fcca04669f1a9c79786e29914563c772584fba1aebc58ce1fd17c8e11a1266ea
- url: http://mlnmlnnrdhcaddwll4zqvfd2vyqsgtgj473gjoehwna2v4sizdukheyd.onion/chat/f9e1d038b1f5220e888b56e97881937f
- domain: mlnmlnnrdhcaddwll4zqvfd2vyqsgtgj473gjoehwna2v4sizdukheyd.onion
Kyber ransomware is not just post-quantum name-dropping
Description
Kyber ransomware is a Rust-based Windows malware that uses genuine hybrid post-quantum cryptography for file encryption, combining AES-256-CTR with Kyber1024 and X25519 for key protection. It appends a fixed-size encrypted metadata trailer and marks encrypted files with a . #~~~ extension. Analysis confirmed the cryptographic implementation is valid, but no practical recovery method from the sample alone exists. The ransomware targets multiple file types and employs standard techniques to inhibit recovery. A separate ESXi variant with different cryptography exists under the same branding. As of April 2026, a large American defense contractor and IT services provider was publicly identified as a victim. No known exploits in the wild or patches are available.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Kyber ransomware implements authentic hybrid post-quantum cryptography rather than using the name for branding only. The Windows variant encrypts files using AES-256-CTR and protects keys with Kyber1024 and X25519 algorithms, appending a 0x744-byte encrypted metadata trailer. Instrumented analysis validated the cryptographic operations through fixture decryption but found no practical way to recover files from the sample alone. It targets multiple file types and uses standard recovery-inhibition techniques, marking encrypted files with a distinctive .#~~~ extension. A separate ESXi variant exists but uses different cryptographic methods despite similar branding. The ransomware was publicly linked to a large American defense contractor and IT services provider as a victim in April 2026. No CVE or patch information is available, and no known exploits in the wild have been reported.
Potential Impact
The ransomware encrypts victim files with strong hybrid post-quantum cryptography, making recovery without the decryption key impractical based on current analysis. It disrupts normal file access by appending encrypted metadata and changing file extensions. The use of advanced cryptographic algorithms suggests a high level of technical sophistication, potentially increasing the difficulty of incident response and recovery. The public identification of a large American defense contractor and IT services provider as a victim indicates targeting of high-value organizations. No known exploits or patches exist, so affected systems remain vulnerable to data encryption and operational disruption.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch is available, mitigation should focus on standard ransomware defenses such as maintaining offline backups, restricting access to critical systems, and monitoring for indicators of compromise including the provided hashes and onion domains. Incident response teams should be prepared for complex recovery scenarios due to the advanced cryptography used. No vendor advisory indicates that the threat is already mitigated or requires no action.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.derp.ca/research/kyber-ransomware-hybrid-crypto/"]
- Adversary
- null
- Pulse Id
- 69f1d20216d6091f01f8a6eb
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainkyblogtz6k3jtxnjjvluee5ec4g3zcnvyvbgsnq5thumphmqidkt7xid.onion | — | |
domainmlnmlnnrdhcaddwll4zqvfd2vyqsgtgj473gjoehwna2v4sizdukheyd.onion | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash18498b1ff111ee9d9a037c280f75b720 | — | |
hash0e9a47782e39741a2c161bf639252d33ad3a428a | — | |
hash4ed176edb75ae2114cda8cfb3f83ac2ecdc4476fa1ef30ad8c81a54c0a223a29 | — | |
hashdf2dba375800d76695d5ca37e5c72a50 | — | |
hashf9e1d038b1f5220e888b56e97881937f | — | |
hash1b66614d63ce9f1b0b9f68464a93d826a3af7e08ccadcbc662f8444f0eaab6b9 | — | |
hash5a5f2bfea416f4b9ed4e6e45d82df524c1d9fa5f99c08944f2bacdf5bf9f525d | — | |
hashef054d22823758290db94aab3c901471a9ebd633f94963030806cc68dd433d8d | — | |
hashfcca04669f1a9c79786e29914563c772584fba1aebc58ce1fd17c8e11a1266ea | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://mlnmlnnrdhcaddwll4zqvfd2vyqsgtgj473gjoehwna2v4sizdukheyd.onion/chat/f9e1d038b1f5220e888b56e97881937f | — |
Threat ID: 69f1dbedcbff5d8610f30be2
Added to database: 4/29/2026, 10:22:37 AM
Last enriched: 4/29/2026, 10:38:43 AM
Last updated: 4/29/2026, 8:56:13 PM
Views: 22
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.