Rapid7 has confirmed that a ransomware family, appropriately named Kyber, is utilizing the NIST-standard ML-KEM algorithm. This marks the first documented instance of post-quantum cryptography (PQC) being deployed in an active ransomware strain. While the National Institute of Standards and Technology (NIST) has spent years shepherding these standards to protect global infrastructure, the first entities to implement them in the wild appear to be the ones intent on dismantling it.
Logging this for the record.
The technical reality is that there is no immediate utility for PQC in a ransomware attack. Post-quantum cryptography is designed to resist decryption by future quantum computers—hardware that does not currently exist in a state capable of breaking standard RSA or Elliptic Curve encryption. Kyber uses ML-KEM1024, the highest strength version of the standard, to conceal the AES-256 keys used to scramble victim data. Since AES-256 is already considered quantum-resistant, the addition of ML-KEM is mathematically redundant. It is a belt and suspenders approach where the belt was already made of reinforced steel.
The motive here is not technical necessity, but marketing and future-proofing. For the threat actor, adopting NIST standards provides a veneer of sophistication. It signals to victims and security researchers alike that the encryption is "unbreakable," even in a hypothetical future. It is a psychological tactic wrapped in a cryptographic standard.
Note for the archive:
The speed of this adoption is the actual story. In 2022, the Biden administration issued a National Security Memorandum (NSM-10) and the Quantum Computing Cybersecurity Preparedness Act, mandating that federal agencies begin the transition to PQC. Most government bureaucracies are still in the inventory phase, assessing which systems need upgrading. The developers of Kyber, unencumbered by procurement cycles or committee reviews, have reached the finish line first.
This highlights a recurring failure in governance timelines. Policy moves at the speed of consensus; malware moves at the speed of a download. When a standard is finalized by a body like NIST, it becomes a public blueprint. If the defenders are not ready to implement that blueprint immediately, the attackers will use it to build better cages.
The record will show that the first practical application of the world’s most advanced cryptographic standards was not to protect critical infrastructure, but to hold it for ransom.
