Ransomware Gangs Adopted Post-Quantum Encryption. Have You?

A ransomware family called Kyber has started encrypting its operations using ML-KEM — a post-quantum cryptography standard (an encryption algorithm specifically designed to resist attacks from future quantum computers, which could shatter today's most common encryption methods) — confirmed by security researchers in April 2026. The criminals moved first. Most enterprise security teams are still drafting their migration roadmaps.

This is not theoretical. Any traffic encrypted with ML-KEM today will remain unreadable even if a powerful quantum computer arrives in 2035. The attackers have future-proofed their operations. Most organizations have not.

Why Ransomware Operators Beat Enterprise Security Teams to Post-Quantum Encryption

Post-quantum cryptography (PQC) — encryption algorithms designed to survive attacks from quantum computers that would otherwise break today's RSA and elliptic curve systems — has been in standardization at NIST (the U.S. National Institute of Standards and Technology, the federal body that sets cryptographic standards for government and industry) since 2016. NIST finalized three PQC algorithms in 2024, including ML-KEM, formerly known as CRYSTALS-Kyber.

Ransomware operators have a direct financial incentive to adopt ML-KEM immediately: every day law enforcement cannot decrypt their communication traffic is another day their operation survives. Enterprises face structural headwinds that ransomware gangs simply do not:

• Ransomware gangs: One developer, one pull request, deployed in days
• Enterprise security teams: 18–24 months average to evaluate, test, and roll out new cryptographic standards
• U.S. agencies (FBI, CISA, NSA, EPA, DOE, Cyber Command): Issuing active joint warnings in 2026, but no hard private-sector adoption deadlines

The gap is organizational, not technical. ML-KEM is a publicly available open standard — any developer can implement it this week. Criminal groups simply have no bureaucratic inertia to overcome. The math of incentives explains everything: for ransomware operators, ML-KEM adoption is a competitive advantage. For Fortune 500 security teams, it is a multi-year procurement exercise.

The AES-128 Post-Quantum Myth That Is Wasting Your Security Team's Time

Cryptography engineer Filippo Valsorda addressed a widespread misconception in April 2026: "Contrary to popular mythology that refuses to die, AES 128 is perfectly fine in a post-quantum world."

Here is the confusion: Grover's algorithm (a quantum computing technique that squares the speed of brute-force key searches — dramatically but not catastrophically) theoretically reduces AES-128's effective security from 2¹²⁸ to 2⁶⁴ key combinations. That sounds alarming until you do the actual math.

Using all of today's Bitcoin mining hardware — the most powerful coordinated computing resource in human history — to attack AES-128 via Grover's algorithm would require approximately 9 billion years. For reference, the observable universe is 13.8 billion years old. AES-128 is not going anywhere.

The actual quantum vulnerabilities are in RSA and elliptic curve cryptography — the algorithms used for key exchange and digital signatures, not bulk data encryption. Those are what ML-KEM replaces. Security teams that have been told to "upgrade everything for quantum" should prioritize correctly:

1. Key exchange infrastructure (replace RSA/ECDH with ML-KEM) — urgent
2. Digital certificate infrastructure — high priority
3. Bulk data encryption (AES-128, AES-256) — not under quantum threat; deprioritize

The practical implication: security teams spending cycles on AES-128 "upgrades" are solving the wrong problem while ransomware groups already run ML-KEM in production. Review the post-quantum cryptography readiness checklist to confirm your team is focused on the right priorities.

Russia Hacked 40,000 Routers. Iran Hit U.S. Power Infrastructure. Same Week.

The ransomware story did not happen in isolation. Russian military intelligence (APT28, also known as Fancy Bear — the GRU-linked hacking group responsible for the 2016 U.S. election interference operations) compromised between 18,000 and 40,000 consumer routers across 120 countries for credential theft and long-term espionage access.

The attack specifically targets devices that most people never update: residential routers running firmware from 2018 or earlier. APT28 chains these into proxy networks (intermediate connection points that disguise the true geographic origin of traffic), routing intelligence operations through innocent home networks to evade detection by Western signals agencies.

Simultaneously, an Iran-linked APT (Advanced Persistent Threat — the term for state-sponsored hacking groups that maintain long-term, covert access to target networks over months or years) disrupted multiple U.S. critical infrastructure sites via PLC attacks (programmable logic controller attacks — targeting the industrial computers that physically control water pumps, electrical switching systems, and chemical processing plants).

The Grinex cryptocurrency exchange lost $15 million USD in a separate cyberattack in the same period, with the exchange stating the incident demonstrated "an unprecedented level of resources and technology available exclusively to the structures of unfriendly states." The attack methodology remains unconfirmed by third-party blockchain analytics firms.

Microsoft's Emergency Patch and the AI Tool Adoption-Security Gap

Microsoft issued an out-of-cycle emergency patch for CVE-2026-40372 — a critical vulnerability in ASP.NET Core (Microsoft's web application framework running behind millions of enterprise websites, SaaS applications, and APIs) that allows unauthenticated attackers to gain SYSTEM-level privileges (the highest possible access level on a Windows server — equivalent to unrestricted administrative control with no credential requirement).

"Unauthenticated SYSTEM escalation" is the worst-case classification in server vulnerability taxonomies. The attacker needs no password, no existing account, no prior foothold. They send a crafted network request and gain complete control of the target machine. The emergency classification means Microsoft bypassed its regular monthly Patch Tuesday cycle — the vulnerability was considered too severe to wait.

On the AI tooling front, a pattern is hardening into a trend. OpenClaw — an agentic AI tool (software that autonomously performs multi-step tasks including web browsing, file creation, and code execution on your behalf, without requiring human confirmation at each step) — reached 347,000 GitHub stars, making it one of the most widely adopted AI agent frameworks globally. Confirmed serious security vulnerabilities were published in the same week as that star milestone.

The data points tell a consistent story across AI tooling in 2026: adoption outpaces security hardening by months to years. Developers star, fork, and deploy before security teams can audit. A tool with 347,000 stars and confirmed vulnerabilities represents a supply chain risk (a security exposure that propagates through third-party software embedded in your own systems) affecting potentially millions of downstream installations. Nutanix's claimed migration of 30,000 VMware customers following Broadcom's unpopular post-acquisition pricing changes suggests enterprises are already making large-scale platform decisions under financial pressure — security review rigor often shrinks under migration timelines.

What You Can Do Before the Next Ransomware Disclosure Lists ML-KEM as a Feature

The 2026 threat landscape has moved faster than most security frameworks anticipated. Three concrete steps based on the confirmed developments above:

• Patch your router today. APT28's 40,000-device botnet runs entirely on unpatched consumer firmware. Most home and small-office routers have an auto-update option buried in Advanced Settings — enable it now. If the device is more than 5 years old, the firmware may no longer receive security updates at all; consider replacement.
• Ask your cloud provider for a written PQC migration timeline. Major cloud providers vary significantly in post-quantum readiness in 2026. Request a specific date for ML-KEM TLS (the layer of encryption protecting every HTTPS connection your applications make). If your provider cannot supply a date, that is a documented risk item for your security register.
• Require a security review before deploying any agentic AI tool. OpenClaw's 347,000-star adoption happened before its security audit. Any tool that autonomously executes code, reads files, and accesses external services is a high-privilege attack surface. A 30-minute third-party vulnerability scan before production deployment is not optional for this category of software.

The next ransomware disclosure will likely list ML-KEM support as a feature — not as an anomaly to investigate. The criminals completed their quantum-safe upgrade while enterprise migration committees were still scheduling their first kickoff meeting. Start your own PQC readiness review at aiforautomation.io/learn — the checklist takes 15 minutes and will tell you exactly what to prioritize.

Related Content — Get Started | Guides | More News