Thought Leadership
The Kyber ransomware is the first of its kind to use post-quantum encryption. However, experts have exposed the technology as a psychological marketing ploy.
In the world of cybersecurity, some developments look like a technological leap at first glance, but reveal a completely different motive upon closer analysis. The security firm Rapid7 has published a detailed analysis of a relatively new ransomware family called Kyber, as ars Technica reported. This malware is currently causing a stir because it is the first of its kind to officially use post-quantum cryptography (PQC) to lock down its victims’ data. But while the term sounds like science fiction and unbeatable technology, the people behind it are pursuing a primarily psychological goal. The truth behind Kyber reveals just how cleverly criminals are exploiting the current discourse around future threats for their own extortion schemes.
Ransomware implements highest security level
The Kyber ransomware, which has been observed in the wild since around September 2025, uses the cryptographic standard ML-KEM for its operations. This algorithm, originally known under the name Kyber, was selected by the US National Institute of Standards and Technology (NIST) as one of the first standards for the post-quantum era. It is based on mathematical problems in lattice structures, which according to current knowledge cannot be solved efficiently by either today’s supercomputers or future quantum computers. This makes ML-KEM fundamentally different from currently common methods such as RSA or elliptic curve cryptography (ECC), which could theoretically be broken by powerful quantum machines in a short time.
The technical investigation by Rapid7 found that the Windows variant of the ransomware actually implements the highest security level of the standard, ML-KEM1024. The malware proceeds in two steps. First, the victim’s files are encrypted using the symmetric AES-256 method. This standard is already considered quantum safe. In the second step, the key used for AES is encapsulated with ML-KEM, so that only the attackers can recover it. Technically speaking, however, the use of PQC offers no practical advantage to the attackers at this point in time.
Hackers rely on fear
In order to break today’s encryption methods such as RSA or ECC, quantum computers would have to execute what is known as Shor’s algorithm. Experts agree that such machines are still years, if not decades, away from practical usability. Serious estimates assume that effective quantum attacks could play a theoretical role in three to five years at the earliest. Since the Kyber extortionists usually only give their victims a deadline of 72 hours to one week to pay the ransom, the security of the encryption against a technology of the distant future is completely irrelevant for the current incident.
So why the effort? Anna Sirokova, lead security researcher at Rapid7, describes the use of ML-KEM as a pure branding gimmick. For non-technical decision makers, lawyers or board members, post-quantum encryption sounds far more frightening than conventional terms. It suggests a finality and technological superiority intended to push victims into giving in to demands more quickly. The attackers are betting that the fear of unbreakable encryption will increase the willingness to pay, before IT experts can analyze the situation soberly.
Approach has nothing to do with quantum security
Another point that supports the marketing theory is the low barrier to implementation. Modern programming languages such as Rust already offer ready made and well documented libraries for ML-KEM. A ransomware developer simply has to include these as a dependency in their code. The effort for integrating this cutting edge mathematics is therefore minimal, while the effect on the victim’s perception is maximal. Kyber uses the reputation of science to upgrade its criminal craft.
Particularly revealing is Rapid7’s discovery in a special Kyber variant for VMware systems. Although the attackers also claimed to use post-quantum algorithms here, a look under the hood revealed a different picture. In fact, conventional RSA with 4096 bit keys was used for the key exchange. While this is a very secure method by today’s standards, it has nothing to do with quantum security. This clearly proves that the people behind it are primarily concerned with the label they stick on their product, not with actual mathematical protection against future computers.
Offline backup remains the most effective remedy against ransomware
For affected companies, this above all means one thing: stay calm. The use of post-quantum cryptography by extortionists changes nothing about the basic defense strategy. The data is encrypted, whether with RSA 4096 or ML-KEM1024. In both cases, decryption without the matching key is impossible according to the current state of technology. The priority must therefore continue to be on prevention through multi factor authentication, network segmentation and above all a robust backup strategy. An offline backup remains the most effective remedy against ransomware, regardless of which fashionable buzzwords the attackers throw around.
In conclusion, Kyber is an example of the professionalization of the ransomware market. Criminals are watching technological trends very closely and adapting terms from research to refine their psychological pressure tactics. Post-quantum cryptography is a necessary development for the long term security of our digital infrastructure. In the hands of extortionists, however, it is currently above all an instrument of intimidation. The case is a reminder to stay vigilant toward buzzwords and underlines the importance of a sober, fact based risk assessment in IT security.
