The Surprising Use of Post-Quantum Cryptography in Ransomware
In an intriguing development within the world of cybersecurity, some ransomware developers are adopting post-quantum cryptography (PQC) techniques, specifically through the use of the Kyber key-exchange algorithm. However, experts suggest that the practical benefits of this choice may be negligible given the current technological landscape.
Understanding the Timing of Quantum Computing Risks
The Kyber ransom notes indicate that victims have one week to respond to payment demands. Notably, quantum computers capable of executing Shor’s algorithm—the algorithm that threatens RSA and elliptic curve cryptography (ECC)—are estimated to be at least three years away from practical implementation, and likely much further. This raises questions about the necessity and effectiveness of employing a PQC key-exchange algorithm at this stage in the game.
Dissecting Claims Surrounding ML-KEM
Some ransomware variants that reportedly employ ML-KEM, a technique associated with Kyber, have come under scrutiny. Rapid7, a cybersecurity firm, revealed that these variants actually utilize RSA with 4096-bit keys, a method that would take substantially longer for Shor’s algorithm to compromise. Anna Širokova, a senior security researcher at Rapid7, commented that the claims of using ML-KEM might serve as a marketing gimmick rather than as a genuine security enhancement. She noted, “the implementation required relatively little work by Kyber developers.”
An Insight into Marketing Strategies
Spirova elaborated on the psychological tactics employed by these ransomware operators. In an email, she stated:
“First, it’s marketing to the victim. ‘Post-quantum encryption’ sounds a lot scarier than ‘we used AES,’ especially to non-technical decision-makers who might be evaluating whether to pay. It’s a psychological trick. They’re not worried about someone breaking the encryption a decade from now. They want payment within 72 hours.”
The Technical Details
Moreover, Širokova highlighted that implementing Kyber1024 libraries, which have been rebranded to ML-KEM, is a simple process. Ransomware operators don’t encrypt files directly using Kyber1024 due to speed limitations. Instead, they typically follow these steps:
- Generate a random AES key.
- Use that AES key to encrypt the files (quickly).
- Encrypt the AES key using Kyber1024, ensuring that only the attacker can decrypt it.
This process highlights how easily developers can adapt existing libraries, particularly in programming languages like Rust, where relevant Kyber1024 libraries are well-documented and readily available, making them accessible even to less experienced developers.
The Broader Implications of PQC in Ransomware
Despite the underlying hype, the adoption of post-quantum cryptography by ransomware developers seems to be more about perception than protective capacity. Kyber’s associations might attract attention from less technically skilled attorneys and executives facing ransom demands, potentially swaying their decision to pay based on an impression of superior security. However, experts caution that the actual implementation doesn’t necessarily provide the impenetrable defense it suggests.
Ultimately, as the technology evolves and quantum computing approaches a more accessible state, the cybersecurity community must remain vigilant and critical of how encryption is marketed and implemented in a rapidly changing landscape.
For further insights and details on this evolving topic in cybersecurity, click here.
Image Credit: arstechnica.com
