Here is the wildest part of this story: a ransomware gang adopted cutting-edge post-quantum cryptography not because they needed it, but because it sounds terrifying to a CFO at 2am.
Meet Kyber — the ransomware, not the algorithm, though the name overlap is very much intentional. Active since at least last September, Kyber made waves in security circles by claiming to use ML-KEM, the post-quantum encryption standard recently formalized by the National Institute of Standards and Technology. This week, researchers at Rapid7 reverse-engineered the Windows variant and confirmed it actually does use ML-KEM1024, the strongest version of the standard. Brett Callow at Emsisoft says it is the first confirmed case of ransomware deploying post-quantum cryptography in the wild.
Now, before you update your threat model, here is the reality check. Quantum computers capable of cracking conventional encryption are, conservatively, three to five years away — and that estimate is generous. The ransom demand gives victims seven days to respond. There is exactly zero practical reason to guard against a quantum attack on a timeline measured in hours.
So why bother? This is where it gets psychologically interesting. "Post-quantum encryption" lands very differently in a boardroom than "AES-256." Non-technical executives hearing the word quantum attach it to something they vaguely know is a big deal, which creates urgency and a sense of helplessness. The encryption is unbreakable, even by the computers of the future — so just pay us. It is fear-based marketing, and it costs the attackers almost nothing to deploy.
The implementation overhead is genuinely low. ML-KEM libraries are well-documented and publicly available, and ransomware does not actually encrypt your files directly with the post-quantum algorithm. The more expensive symmetric encryption does that work. ML-KEM just protects the key exchange — a relatively lightweight operation that any competent developer can bolt on in a short sprint.
The story gets slightly embarrassing for the attackers, though. A separate Kyber variant targeting VMware environments claims to use ML-KEM as well, but Rapid7 found that one is actually running RSA with 4,096-bit keys under the hood. So that variant is literally lying about its own encryption to seem scarier. The branding ambition outpaced the engineering.
Anna Širokova, the Rapid7 researcher who led the analysis, frames the whole thing accurately: this is a marketing gimmick with a low implementation cost and a high psychological return. The actual encryption in both variants is already strong enough that no victim is cracking it regardless of whether quantum computing factors into the equation.
The broader implication here matters more than Kyber itself. As post-quantum terminology filters into mainstream awareness — and it will, given how much NIST and tech media have covered the transition — ransomware groups will increasingly weaponize that language. Expect more ransom notes featuring words like lattice-based and quantum-resistant. Security teams should probably start preparing communications for executives now, before the next wave of attacks uses cryptography jargon to manufacture panic.
SECURITY
Pre-Stuxnet Sabotage Malware Targeting Iran Finally Decoded After Two Decades
Imagine malware so patient and so subtle that it does not destroy anything directly — it just quietly makes your physics calculations wrong until your equipment wears itself apart. That is what researchers have finally decoded after two decades of mystery.
Researchers Vitaly Kamluk and Juan Andrés Guerrero-Saade at SentinelOne have cracked the purpose of a piece of code called Fast16, a malware specimen that has sat largely unexplained since it surfaced in an NSA leak back in 2017. The code itself dates to approximately 2005. That makes it older than Stuxnet, the legendary US-Israeli operation that physically destroyed Iranian nuclear centrifuges by manipulating their control systems. Fast16 appears to be a precursor — possibly even a proof of concept for the philosophy that would later define Stuxnet.
The researchers will present their full findings at Black Hat Asia in Singapore, but the details already published are remarkable. Fast16 was designed to spread across networks and then silently alter mathematical computations inside high-precision simulation software. Not delete files, not lock systems — just nudge the numbers. Slightly wrong fluid dynamics here. Marginally off structural stress calculations there. The software keeps running, the researchers keep working, and somewhere downstream a centrifuge spins too fast or a component fails under loads it was modeled to handle.
Kamluk described it as a nightmare, and that framing is not hyperbole. The genius and the horror of this approach is that it attacks trust in data rather than the data itself. Scientists and engineers assume their simulation tools are reliable. If Fast16 is working as intended, they have no obvious reason to question that assumption until something breaks in the physical world.
The targets Kamluk and Guerrero-Saade identified make the Iran connection hard to ignore. Among the simulation platforms Fast16 appears built to manipulate is LS-DYNA, a physics engine originally developed by scientists from Lawrence Livermore National Laboratory — the same institution deeply embedded in US nuclear weapons research. LS-DYNA has been used by Iranian scientists in research with potential nuclear applications. The other candidate targets include hydrodynamic modeling software and Chinese construction engineering tools, which widens the possible geographic and institutional scope, though the Iran theory is where the evidence points most directly.
The attribution picture is murky by design, as it always is with state-sponsored tools, but the researchers assess Fast16 was almost certainly built by the US or a close ally. The sophistication, the target profile, and the era all fit the broader pattern of Western cyberoperations against Iranian nuclear ambitions that eventually produced Stuxnet.
What this discovery really does is extend our understanding of how long nation-states have been thinking about sabotage-by-software. This was not improvised. The idea of corrupting physical systems by manipulating the digital models that govern them was being refined years before Stuxnet made the concept famous. Fast16 is the draft that nobody knew existed.
Source: WIRED
Researchers Vitaly Kamluk and Juan Andrés Guerrero-Saade at SentinelOne have cracked the purpose of a piece of code called Fast16, a malware specimen that has sat largely unexplained since it surfaced in an NSA leak back in 2017. The code itself dates to approximately 2005. That makes it older than Stuxnet, the legendary US-Israeli operation that physically destroyed Iranian nuclear centrifuges by manipulating their control systems. Fast16 appears to be a precursor — possibly even a proof of concept for the philosophy that would later define Stuxnet.
The researchers will present their full findings at Black Hat Asia in Singapore, but the details already published are remarkable. Fast16 was designed to spread across networks and then silently alter mathematical computations inside high-precision simulation software. Not delete files, not lock systems — just nudge the numbers. Slightly wrong fluid dynamics here. Marginally off structural stress calculations there. The software keeps running, the researchers keep working, and somewhere downstream a centrifuge spins too fast or a component fails under loads it was modeled to handle.
Kamluk described it as a nightmare, and that framing is not hyperbole. The genius and the horror of this approach is that it attacks trust in data rather than the data itself. Scientists and engineers assume their simulation tools are reliable. If Fast16 is working as intended, they have no obvious reason to question that assumption until something breaks in the physical world.
The targets Kamluk and Guerrero-Saade identified make the Iran connection hard to ignore. Among the simulation platforms Fast16 appears built to manipulate is LS-DYNA, a physics engine originally developed by scientists from Lawrence Livermore National Laboratory — the same institution deeply embedded in US nuclear weapons research. LS-DYNA has been used by Iranian scientists in research with potential nuclear applications. The other candidate targets include hydrodynamic modeling software and Chinese construction engineering tools, which widens the possible geographic and institutional scope, though the Iran theory is where the evidence points most directly.
The attribution picture is murky by design, as it always is with state-sponsored tools, but the researchers assess Fast16 was almost certainly built by the US or a close ally. The sophistication, the target profile, and the era all fit the broader pattern of Western cyberoperations against Iranian nuclear ambitions that eventually produced Stuxnet.
What this discovery really does is extend our understanding of how long nation-states have been thinking about sabotage-by-software. This was not improvised. The idea of corrupting physical systems by manipulating the digital models that govern them was being refined years before Stuxnet made the concept famous. Fast16 is the draft that nobody knew existed.
Enjoyed this?
Get stories like this delivered every Tuesday — free.