Kyber ransomware silently adopted quantum-safe encryption

Since at least September 2025, a ransomware family called Kyber has been silently deploying ML-KEM (Module Lattice-based Key Encapsulation Mechanism — a post-quantum encryption algorithm that NIST standardized to replace classical public-key cryptography before quantum computers become powerful enough to break it). The security community caught on seven months later. By then, victims who paid ransom had no path to file recovery, and researchers who previously helped victims by exploiting weak encryption flaws hit an unbreakable mathematical wall.

This isn't a future threat. Kyber ransomware is actively deployed against real organizations today — and its encryption is mathematically sound by the same standards governments use for classified data.

Seven Months Undetected — How Kyber Went Quantum-Safe

Traditional ransomware relies on standard asymmetric encryption (a mathematical system where one key locks files and a separate key unlocks them) that security researchers have occasionally cracked through implementation errors or weak random number generators. That's how the No More Ransom project — a coalition of Europol and cybersecurity companies — helped victims recover billions of dollars' worth of encrypted files since 2016.

Kyber ransomware eliminates that recovery path by using ML-KEM (formerly known as CRYSTALS-Kyber), now an official NIST-standardized post-quantum algorithm. The operators achieved four simultaneous advantages:

• Classical attack-proof: No brute-force shortcut or mathematical weakness exists in ML-KEM on any current hardware
• Future quantum-proof: Even CRQCs (cryptographically-relevant quantum computers — machines powerful enough to break today's RSA encryption, expected by the 2030s) cannot break ML-KEM by mathematical proof
• Standards-compliant camouflage: Using a NIST-approved algorithm makes Kyber's encrypted traffic indistinguishable from legitimate enterprise security tools during forensic analysis
• No known implementation flaws: Unlike older ransomware families caught using weak random number generators, ML-KEM has survived years of rigorous public cryptanalysis with zero successful attacks recorded

The September 2025 start date reveals an uncomfortable reality: ransomware operators adopted post-quantum cryptography before most Fortune 500 companies finished their post-quantum readiness assessments. The attackers moved faster than the defenders — by at least 18 months.

The AES-128 Panic That Is Solving the Wrong Problem

Online alarm has been spreading about AES-128 (the symmetric encryption algorithm built into VPNs, secure storage, and countless enterprise systems for 30 years) being "broken" in a post-quantum world. Cryptography engineer Filippo Valsorda — a contributor to IETF cryptography standards and the Go language's standard library — directly debunked this claim in analysis covered by Ars Technica.

The panic argument rests on Grover's algorithm (a quantum computing technique that theoretically speeds up brute-force key searches, cutting AES-128's effective bit-security from 128 bits to 64 bits). Here is why that still does not constitute a practical threat:

• A 64-bit brute-force attack requires approximately 9 billion years using all of Bitcoin's combined mining power — as of 2026
• AES-128 has a 30-year history with zero successful attacks against the cipher itself — not a single known vulnerability in three decades of global cryptanalysis
• The genuine post-quantum threat targets asymmetric encryption (RSA, ECC, Diffie-Hellman key exchange) — not symmetric ciphers like AES at all
• Organizations wanting additional margin should upgrade to AES-256, not abandon AES-128 in an emergency response

Practically speaking: AES-128 is fine. The Kyber ransomware threat operates at the key-exchange layer, not the symmetric encryption layer. Security teams conflating the two threats are misallocating migration budgets and delaying the actual defenses that matter.

34 Universities Hijacked — One Scammer Group, Thousands of Google-Indexed Trap Pages

A separate but equally significant attack method is spreading through higher education. A group called Hazy Hawk systematically exploited abandoned CNAME records (Domain Name System entries that point a subdomain toward a third-party service — set up when the service was active, then left in place after decommissioning). The technique is straightforward: identify .edu subdomains pointing to expired or unregistered third-party services, register the target domain, and inherit the university's .edu domain authority.

Confirmed compromised institutions include:

• UC Berkeley — subdomain causal.stat.berkeley.edu hijacked and serving malicious content
• Columbia University — subdomain conversion-dev.svc.cul.columbia.edu exploited
• Washington University in St. Louis — official subdomain compromised
• At least 31 additional universities with confirmed CNAME record exploitation

Hazy Hawk used the institutional authority of .edu domains — which Google's search algorithm treats as high-trust sources — to serve pornography and malware through pages appearing in normal search results. Students and researchers encountered malicious content served directly from official university infrastructure. Thousands of trap pages were indexed by Google before detection.

Root cause: IT departments leaving DNS records uncleaned for years after cloud services were retired. No sophisticated exploit required — just a systematic scan for stale CNAME records and a domain registration fee. The technical barrier to this attack class is essentially zero.

State Actors, Compromised Routers, and a $15 Million Crypto Heist

The quantum ransomware development and university subdomain campaign are part of a broader threat intensification across Q1–Q2 2026. Three additional incidents demand attention from teams managing critical infrastructure:

Iranian APT Attacking US Infrastructure — Six Agencies Issued Joint Warning Since March 2026

A joint advisory from FBI, CISA, NSA, EPA, DOE, and CYBERCOM — six agencies issuing simultaneous warnings, an unusually broad coalition — confirmed that an Iranian government-affiliated APT group (Advanced Persistent Threat — state-sponsored hackers operating with intelligence agency resources and direction) has been attacking PLCs (programmable logic controllers — the industrial computers that manage physical systems such as water treatment plants, power grid substations, and oil pipelines) across US government, wastewater treatment, and energy sectors since at least March 2026. Victim sites reported both operational disruptions and direct financial losses — signaling attacks targeting physical system function, not just data exfiltration.

Russian Military Mass-Scanning Consumer Routers for Credentials

Russian military hacking units are conducting widespread credential-harvesting campaigns (systematically collecting usernames and passwords across large numbers of devices simultaneously) by compromising consumer-grade routers. The same home and small-business routers remote workers use to access corporate systems are ideal pivot points: they rarely receive timely security patches and are frequently left at factory-default settings. Once compromised, the router becomes a silent gateway into every enterprise network its users connect to — with no footprint on the corporate perimeter.

Grinex Cryptocurrency Exchange — $15 Million Drained, Operations Halted

Cryptocurrency exchange Grinex halted all operations after losing between $13 million (Grinex's own estimate) and $15 million (TRM Labs blockchain forensics analysis) across approximately 70 drained cryptocurrency addresses. The exchange attributed the breach to "structures of unfriendly states" citing "unprecedented levels of resources." Blockchain analytics firms TRM Labs and Elliptic independently confirmed the theft scope; sovereign attribution remains unverified by third parties.

The ASP.NET Core Emergency Patch — Patching Alone Falls Short

Microsoft issued an emergency patch for CVE-2026-40372, a critical flaw in ASP.NET Core (Microsoft's open-source web development framework used for building APIs and server applications) affecting versions 10.0.0 through 10.0.6. The vulnerability allows unauthenticated attackers — with zero existing credentials — to gain SYSTEM-level privileges (the highest permission tier on a machine, equivalent to unrestricted administrator access) on Linux and macOS servers through a cryptographic signature verification flaw.

The complication elevating this beyond a standard patch-and-done scenario: forged authentication credentials created before patching persist even after the patch is applied. Organizations on affected versions need a four-step response, not one:

• Apply the CVE-2026-40372 patch immediately across all .NET 10.0.0–10.0.6 deployments
• Pull authentication logs and audit all credentials issued before the patch deployment date
• Rotate all service account credentials, API tokens, and certificates on affected systems
• Scan for unauthorized SYSTEM-level processes that may have been established pre-patch

Patching closes the vulnerability — but does not invalidate tokens attackers may have already minted. Organizations that patch without the credential audit remain exposed to any attacker who exploited the window before the fix was applied.

Three Checks Security Teams Can Complete This Week

The convergence of active post-quantum ransomware, state-sponsored attacks across six US critical infrastructure sectors, and a live emergency patch creates one of the denser threat windows of 2026. Three starting points that require no budget approval:

1. Post-quantum backup audit: If your backup encryption relies on RSA or ECC (classical asymmetric key exchange), it is theoretically exposed as Kyber-style ransomware spreads its techniques. Most enterprise backup vendors published post-quantum migration roadmaps in Q4 2025 — verify where yours stands before the next major incident.
2. DNS CNAME sweep: Run a full audit of all CNAME records pointing to external services. Any record targeting a decommissioned, expired, or unregistered domain should be deleted immediately. This fully neutralizes the Hazy Hawk attack class and takes under an hour with standard DNS tooling.
3. ASP.NET Core patch plus credential rotation: Any .NET 10 deployment needs CVE-2026-40372 patched and all credentials rotated — regardless of whether active compromise indicators are present. Absence of evidence is not evidence of absence during a pre-patch intrusion window.

The post-quantum transition that security planners scheduled for 2027–2030 just received an unwanted early proof-of-concept from Kyber ransomware operators. Start with the DNS CNAME sweep — it is the fastest win, requires no budget, and closes a vulnerability class that demands zero technical sophistication to exploit. The AI for Automation security guides include scripts that automate the CNAME sweep in minutes using free command-line tools already on every administrator's machine.

# Quick CNAME audit — check each subdomain in your DNS zone
# Replace the example with your actual subdomain
dig CNAME your-subdomain.yourdomain.edu

# If the CNAME target returns NXDOMAIN (domain not found),
# that record is exploitable — delete it from your DNS provider immediately.
# For Windows: nslookup -type=CNAME your-subdomain.yourdomain.edu

Related Content — Get Started | Guides | More News