kyber

Ransomware group profile

1Victims

50Impact score

Description

Kyber is a ransomware group that emerged in September 2025, specializing in attacks on both Windows and VMware ESXi environments. Their operation incorporates a double extortion model and claims the use of post-quantum encryption to pressure victims into paying ransoms, despite skepticism about their technical implementation.

Key insights

•Utilizes a double extortion model by encrypting files and exfiltrating sensitive data.
•Initial access techniques include phishing, exploitation of software vulnerabilities, and RDP brute-forcing.
•Employs a hybrid encryption scheme using AES-256-CTR and claims to use advanced cryptographic methods.
•Often deletes Volume Shadow Copies and terminates critical services to hinder recovery efforts.
•Targets multiple sectors including finance, information, and public administration.

Industries

Energy & Utilities Financial Services Government & Defense Manufacturing Other Technology Transportation

Threat Level & Status Breakdown

For kyber · Based on incidents in selected period

0.1threat level

Aggressiveness0.3/ 10

Lethality0/ 10

Criticality0/ 10

Status Breakdown

Claimed100.0%1

First seenApr 2026

Last seenApr 2026

Avg ransom—

Payment rate—

Statusactive

Sophistication0

Last updatedJun 6, 2026

Recent activity

Monthly attack count for kyber in the selected period

1Total attacks

1peak in Apr

1avg / month

Intelligence

IOCs, YARA/Sigma rules, and related families for kyber

df2dba375800d76695d5ca37e5c72a50
fcca04669f1a9c79786e29914563c772584fba1aebc58ce1fd17c8e11a1266ea
1b66614d63ce9f1b0b9f68464a93d826a3af7e08ccadcbc662f8444f0eaab6b9
f9e1d038b1f5220e888b56e97881937f
18498b1ff111ee9d9a037c280f75b720
45bff0df2c408b3f589aed984cc331b617021ecbea57171dac719b5f545f5e8d
5a5f2bfea416f4b9ed4e6e45d82df524c1d9fa5f99c08944f2bacdf5bf9f525d
ef054d22823758290db94aab3c901471a9ebd633f94963030806cc68dd433d8d
6ccacb7567b6c0bd2ca8e68ff59d5ef21e8f47fc1af70d4d88a421f1fc5280fc
0e9a47782e39741a2c161bf639252d33ad3a428a
4ed176edb75ae2114cda8cfb3f83ac2ecdc4476fa1ef30ad8c81a54c0a223a29

View full IOC feed14 total

TTPs & Attack Vectors

Tools, initial access, and MITRE ATT&CK techniques for kyber

Other

T1486

T1490

T1078

T1562

T1489

T1070.004

T1562.001

T1562.009

T1070.001

T1491

T1071.001

T1204

Victims(1)

Company	Domain	Country	Industry	Status	Discovered
L3HARRIS	—	US United States	Government & Defense	Claimed	about 1 month ago

Affected countries(4)

Countries where this group has been reported to target or leak victims.

🇦🇺Australia 🇩🇪Germany 🇬🇧United Kingdom 🇺🇸United States