Kyber Ransomware | WatchGuard Technologies

Description

Uses AES-256-CTR to encrypt files with Curve25519 + Kyber-1024 quantum encryption to create encryption keys. Likely named after the encryption mechanism Kyber-1024, which is seldom seen or used for ransomware at the time of it's inception.

Known for publishing a well-known US Defense Contractor as first victim.

This entry is under construction. However, we have included some details below.

Ransomware Type

Crypto-Ransomware

Data Broker

First Seen

September 2025

Extortion Links

Medium

Link

DLS File Server

http://tp7e2ekeoqqozyq2t3oy53tzbybvg6ehtinc7kjowtpvbkssprkdmuid.onion

TOR

http://kyblogtz6k3jtxnjjvluee5ec4g3zcnvyvbgsnq5thumphmqidkt7xid.onion

Extortion Types

Direct Extortion

Double Extortion

Free Data Leaks

Communication

Medium

Identifier

TOR

minminnrdhcaddwll4zqvfd2vyqsgtgj473gjoehwna2v4sizdukheyd.onion/chat/<Chat ID>

Encryption

Type

Hybrid

Files

AES-256-CTR

Key

Kyber-1024

Additional Encryption

Curve25519

File Extension

<file name>.<file extension>.#~~~

Ransom Note Name

READ_ME_NOW.txt

lockerlog_<YYYY.DD.MM_hh.mm.ss>.log

Ransom Note Image

Click to enlarge

Click to enlarge

Samples (SHA-256)

4ed176edb75ae2114cda8cfb3f83ac2ecdc4476fa1ef30ad8c81a54c0a223a29

Known Victims

Industry Sector	Country	Extortion Date	Amount (USD)
Defense	United States	2025-10-12

References & Publications

Secplicity: New Kyber Ransomware Posts U.S. Defense Contractor As First Victim

Ransomware - Kyber