Rapid7's IR team published a reverse-engineering breakdown of the Kyber ransomware crew this week, based on two distinct binaries they pulled out of a single engagement in March 2026. The writeup is worth reading in full if you do ransomware work, but the short version is that Kyber is a mid-tier RaaS operation with a marketing department, and this post is about what the technical findings tell us that the marketing tries to hide.
The Marketing Lie
Kyber, as a brand, leans hard on the claim that it uses Kyber1024 post-quantum key encapsulation to protect ransom keys. This is on their leak site, in their ransom notes, in the affiliate recruitment pitches that occasionally surface on the dark web, and in a small amount of infosec press that took the marketing at face value.
Rapid7 did the work. The ESXi Linux binary they analyzed uses ChaCha8 for symmetric file encryption and RSA-4096 for key wrapping. That is a perfectly functional ransomware crypto stack in 2026, and most ransomware families use a variant of it. It is also not post-quantum. ChaCha8 is a classical stream cipher with a reduced round count, and RSA-4096 is the exact thing a post-quantum scheme is supposed to replace because Shor's algorithm breaks it on a hypothetical quantum computer.
The marketing works because most victims do not care what crypto is in the binary. Victims care whether the decryption key is recoverable without paying, and for this class of ransomware, the answer is "no, classically-secure RSA-4096 is enough." Calling the brand "Kyber" was a growth-hacking decision, not a technical one.
This kind of misrepresentation matters for one narrow reason: if your threat intel team is tracking actors based on claimed cryptography, you are going to put Kyber in the wrong bucket. It is a classical ransomware operation with post-quantum cosplay. Treat it accordingly.
The Actually Concerning Finding
Now the part that is load-bearing for a defender. Rapid7 recovered two Kyber binaries from the same engagement. Same campaign ID, same Tor infrastructure, clearly the same operator. One was the Linux ESXi build I just described. The other was a Rust Windows build designed for file servers, with an "experimental" Hyper-V branch that appears to target Hyper-V hosts if they are reachable.
The significance is in the simultaneous deployment. This is an affiliate who, on one intrusion, has both a Windows payload and a purpose-built ESXi payload ready to go, and deployed them to the same network inside the same intrusion window. That is a workflow change from the earlier RaaS norm, which was "encrypt endpoints, ransom, maybe eventually get around to virtualization if the negotiation stalls."
The reason this matters is that the mid-market incident response playbook for ransomware, which I have seen at dozens of mid-sized organizations in Georgia and Central Asia, assumes a serial attacker. Windows gets hit, the SOC notices, IR engages, the team starts the "isolate, scope, recover" cadence. Recovery leans on the virtualization tier, because that is where the golden-image VM restores live, and that is where the offsite backup replication mounts. If the virtualization tier is also encrypted in the same incident, "recover from backup" stops being a 36-hour operation and becomes a multi-week rebuild from offline media, assuming you have offline media, which most mid-market shops do not.
Kyber is not the first family to do simultaneous Windows-plus-ESXi. ALPHV/BlackCat did it years ago, Royal does it, the more recent Medusa and Akira builds do it. What makes the Rapid7 find worth pulling out is the operational maturity: a single affiliate, during one active engagement, is arriving with both payloads pre-staged and executing them in parallel. That is a shift from "a few elite crews can pull this off" to "this is the baseline tradecraft for a Kyber affiliate in 2026."
What to Actually Do This Week
Two things this week, and one ongoing.
One, audit the isolation of your ESXi management plane. If your vCenter appliance or your ESXi hosts are reachable from an endpoint VLAN, that is the access path a Kyber operator will use. The minimum control is a dedicated management network segment that endpoint users cannot reach, plus MFA on vCenter and root-level SSH disabled on the ESXi hosts. "We'll fix it in Q3" is not the answer when the attacker tempo has moved to this week.
Two, validate that your backup recovery path does not depend on the production ESXi cluster. If your backup system restores by pushing images back into the same vCenter that just got encrypted, you do not have a backup system, you have a replication system. Run an actual recovery drill that assumes the virtualization tier is unrecoverable and see how long it takes you to stand up a clean replacement cluster from offline media. Most mid-market teams have never done this drill. The first time they do it is during a live Kyber incident, which is the wrong time to learn.
Three, stop believing the marketing on ransomware family crypto. If the press release says "post-quantum," assume it is not. The technical research from vendors like Rapid7, Mandiant, Talos, and Sophos is the source of truth. The leak site is the source of growth-hacking. Cite the former in your threat briefs, not the latter.
The Durable Lesson
The Kyber writeup is a small data point, but it fits inside a larger pattern. Ransomware affiliates are getting better at multi-payload, multi-platform, simultaneous deployment. The 2022 model where you could trust "endpoints hit first, virtualization later if ever" is gone. The 2026 model is that a capable affiliate arrives with Windows, ESXi, and Hyper-V builds already in their kit bag and executes them in parallel against whatever they find in your network during the intrusion.
The defender's side of that ratio has not moved at the same pace. Most organizations I work with still treat the virtualization tier as an implicit recovery asset that will be there when things go wrong. It is not. It is a production attack surface that needs the same isolation, patching, and detection rigor you apply to your endpoints, and the Rapid7 Kyber writeup is the latest reminder that the attacker side already knows this.
Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if you want the honest conversation about your virtualization tier before a Kyber affiliate hands you one.