What Happened
Rapid7 recovered two distinct ransomware variants from a single enterprise network during a March 2026 incident response, both belonging to a new group called Kyber. One variant targeted Windows file servers; the other targeted VMware ESXi hypervisors on the same network, indicating the group coordinates dual-platform deployments within a single intrusion.
The Windows variant is the more technically notable of the two. It deploys NIST-standardized Kyber1024 post-quantum cryptography as part of its encryption scheme — the first confirmed production use of quantum-resistant algorithms in ransomware. The ESXi variant is more conventional, using ChaCha8 for file encryption and RSA-4096 for key wrapping, despite the group’s marketing material claiming post-quantum protection for both. The ESXi encryptor includes capabilities for datastore encryption, optional virtual machine termination before encryption, and management interface defacement. Rapid7 published the findings and BleepingComputer confirmed the reporting.
Why This Matters for Canadian Organizations
Ransomware groups experimenting with post-quantum cryptography is not a theoretical concern — it changes the calculus for recovery. Standard ransomware decryption assistance from law enforcement or third-party vendors depends on mathematical weaknesses in classic RSA and ECC schemes. Post-quantum algorithms do not share those weaknesses. If Kyber’s Windows encryptor is correctly implemented and the decryption key is lost or withheld, recovery from backup becomes the only viable path. That raises the operational stakes significantly for any Canadian organization without tested, isolated, and recent backups.
The dual-platform deployment pattern — Windows and ESXi on the same network — is consistent with how sophisticated ransomware affiliates operate in 2026. Encrypting virtualization infrastructure takes entire clusters of virtual machines offline simultaneously, amplifying impact far beyond what targeting individual endpoints achieves. Canadian enterprises in sectors with dense VMware footprints — financial services, healthcare, government shared services, and telecommunications — face outsized risk from this technique.
Defence contractors and IT services firms appear to be Kyber’s primary targets based on current victim profiling. Canadian companies in the defence industrial base, including suppliers to DND and organizations pursuing CPCSC Level 1 certification, should treat this threat group as directly relevant to their risk register. The CCCS tracks ransomware threat actors affecting Canadian critical infrastructure and is expected to issue relevant guidance as Kyber’s operations expand.
What to Do
Audit your VMware ESXi estate for internet-exposed management interfaces and ensure vSphere access requires multi-factor authentication. Review backup architecture to confirm at least one offline or immutable copy exists for all critical systems — this is the primary recovery lever if post-quantum encryption holds. Test restoration procedures under a ransomware scenario now, before an incident. Segment ESXi management networks from general enterprise traffic. Monitor for the dual-platform deployment pattern: simultaneous lateral movement toward both Windows file servers and hypervisor hosts in a short timeframe is a strong indicator of a ransomware pre-positioning stage. Report any suspected Kyber activity to the CCCS at cyber.gc.ca.
