It’s all about marketing
ML-KEM is an asymmetric encryption method for exchanging keys. It involves problems based on lattices, a structure in mathematics that quantum computers have no advantage in solving over classic computing. ML-KEM is designed to replace Elliptic Curve and RSA cryptosystems, both of which are based on problems that quantum computers with sufficient strength can tackle.
Ars Video
How The Callisto Protocol's Team Designed Its Terrifying, Immersive Audio
On Tuesday, security firm Rapid7 said it reverse-engineered Kyber and found that the Windows variant used ML-KEM1024, the highest strength version of the PQC (post-quantum cryptography) standard. Kyber was using ML-KEM to conceal the key used to encrypt victims’ data with AES-256, a symmetric cryptographic standard that is also quantum-proof. (As reported previously, AES-128 would have sufficed in withstanding a quantum attack.) Brett Callow, managing director in the cybersecurity & data privacy communications practice at FTI Consulting, said it’s the first confirmed case of ransomware using PQC.
There is no practical benefit for Kyber developers to have chosen a PQC key-exchange algorithm. The Kyber ransom note gives victims one week to respond. Quantum computers capable of running Shor’s algorithm—the series of mathematical equations that allow the breakage of RSA and ECC (elliptic curve cryptography)—are, at a minimum, three years away and likely much further.
A Kyber variant that targets systems running VMware, meanwhile, claims to use ML-KEM as well. Rapid7 said its look under the hood revealed that, in fact, it uses RSA with 4096-bit keys, a strength that will take even longer for Shor’s algorithm to break. Anna Širokova, a Rapid7 senior security researcher and the author of Tuesday’s post, said the use or claimed use of ML-KEM is likely just a branding gimmick and that implementing it required relatively little work by Kyber developers.
In an email, Širokova wrote:
> First, it’s marketing to the victim. “Post-quantum encryption” sounds a lot scarier than “we used AES,” especially to non-technical decision-makers who might be evaluating whether to pay. It’s a psychological trick. They’re not worried about someone breaking the encryption a decade from now. They want payment within 72 hours. > > > Second, implementation cost is low. Kyber1024 libraries (renamed to ML-KEM) are available and well-documented. Ransomware doesn’t encrypt your files directly with Kyber1024. That would be slow. Instead, it: > > > 1. Generates a random AES key > 2. Encrypts your files with that AES key (fast) > 3. Encrypts _that AES key_ with Kyber1024 (so only the attacker can decrypt it) > > > In Rust, there are already libraries that do Kyber1024. The developer just adds it to their dependencies and calls a function to wrap the key.
Despite the hype, Kyber suggests that PQC is attracting the attention of less technically inclined attorneys and executives deciding how to respond to ransom demands. Kyber developers are hoping the impression that the encryption has overwhelming strength will sway people to pay. Senior Security Editor
Senior Security Editor
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and on Bluesky. Contact him on Signal at DanArs.82.
