The takeaway: A ransomware group is using post-quantum cryptography less for technical reasons than for psychological pressure on victims. Security researchers analyzing a strain known as Kyber say the malware incorporates – or in some cases claims to incorporate – a cryptographic standard designed to withstand future quantum attacks. The approach marks a shift in how ransomware operators present their capabilities, even though the underlying mechanics remain largely conventional.
Kyber, first observed in circulation as early as September, takes its name from the alternate designation of ML-KEM (Module-Lattice-based Key Encapsulation Mechanism). The algorithm, standardized by the National Institute of Standards and Technology, is part of a broader effort to prepare encryption systems for a future in which quantum computers could break widely used schemes such as RSA and elliptic curve cryptography.
At a technical level, ML-KEM is not used to encrypt files directly. Instead, it is designed to securely exchange cryptographic keys using lattice-based mathematical problems that are not expected to be efficiently solvable by quantum computers.
In Kyber's Windows variant, researchers at Rapid7 found that the malware uses ML-KEM1024 – the strongest parameter set in the standard – to protect a randomly generated AES-256 key, which is then used to perform the actual file encryption.
This hybrid approach mirrors legitimate cryptographic design. Symmetric encryption such as AES remains efficient for large datasets, while asymmetric systems handle key exchange. In this case, however, the addition of post-quantum cryptography appears to offer little practical benefit to the attackers.
Ransomware operations typically impose tight deadlines, often measured in days. Kyber gives victims roughly a week to respond. By contrast, quantum computers capable of running Shor's algorithm at a scale sufficient to break RSA or elliptic curve cryptography are still at least years away. Even then, AES-256 – and even AES-128 – would remain resistant to such attacks.
Rapid7's analysis also found inconsistencies across variants. A version targeting VMware ESXi systems claims to use ML-KEM, but in practice relies on 4096-bit RSA keys, a conventional approach that would remain computationally infeasible to break for the foreseeable future.
Anna Širokova, a senior security researcher at Rapid7, said the inclusion of post-quantum elements is better understood as messaging than innovation. "First, it's marketing to the victim. 'Post-quantum encryption' sounds a lot scarier than 'we used AES,' especially to non-technical decision-makers who might be evaluating whether to pay," she told Ars Technica.
"It's a psychological trick. They're not worried about someone breaking the encryption a decade from now. They want payment within 72 hours."
Širokova added that implementation costs are also low. Libraries supporting ML-KEM are widely available and well-documented. Rather than directly encrypting files – which would be inefficient – the malware generates a random AES key for bulk data encryption, then secures that key with Kyber-1024 so only the attacker can decrypt it.
In practice, developers can quickly integrate this functionality, especially in languages such as Rust, by importing existing libraries and calling pre-built functions.
The emergence of Kyber highlights a subtle evolution in ransomware tactics. Rather than introducing meaningfully stronger encryption, operators are borrowing terminology from cutting-edge cryptographic research to influence decision-making under pressure. For organizations deciding whether to pay, the distinction between genuinely quantum-resistant systems and standard encryption rebranded as quantum-resistant may not be immediately clear. That ambiguity appears to be the point.