Kyber ransomware is not just post-quantum name-dropping

216.73.216.36

Kyber ransomware is not just post-quantum name-dropping

· Published 29/04/2026 11:40 · Modified 29/04/2026 10:44

Essential information

Published: 29/04/2026 11:40
Modified: 29/04/2026 10:44
Source / Author: AlienVault
Confidence: 100/100
Report type(s): threat-report
Labels / Tags: aes-ctr encryption file encryption hybrid encryption kyber kyber1024 post-quantum cryptography rust ransomware x25519
Tags: 2026-04-29 aes-ctr encryption file-encryption hybrid encryption kyber kyber1024 post-quantum cryptography rust ransomware x25519
Related entities: 8 indicators, 8 observables, 15 techniques (mitre), 1 malware, 5 others

Description

A detailed technical analysis confirms that Kyber ransomware implements genuine hybrid post-quantum cryptography rather than mere branding. The Rust-based Windows variant encrypts files using AES-256-CTR with Kyber1024 and X25519 for key protection, appending a fixed 0x744-byte trailer containing encrypted metadata. Instrumented analysis validated the cryptographic implementation through fixture decryption but found no practical recovery path from the sample alone. The encryptor targets multiple file types, deploys standard recovery-inhibition techniques, and marks encrypted files with a .#~~~ extension. A separate ESXi variant was found to use different cryptography despite similar branding. As of April 2026, one victim was publicly listed: a large American defense contractor and IT services provider.