Every ransomware incident response playbook is built on two assumptions: you can restore from backup, or you can pay the ransom and get a working decryptor back. In 2026, two ransomware families have broken both of those assumptions — and they’ve done it in different ways that need different responses.
The Kyber Windows variant uses genuine ML-KEM/Kyber1024 post-quantum encryption. The harvest-now/decrypt-later path — holding on to encrypted data and hoping a future quantum computer cracks the key — is permanently off the table. VECT has a completely different problem: a nonce-handling bug means the decryption keys for files over 128 KB were discarded by the attacker’s own code. VECT operators cannot produce a working decryptor even if they want to.
These two failures need two different responses. This guide is a decision framework: figure out which scenario you’re in first, then follow the correct track. Taking the wrong track wastes time and money. We cover decryption feasibility assessment, scenario-specific response steps, backup architecture, detection indicators, and law enforcement engagement — all in the context of ransomware’s quantum-AI mutation reshaping the threat landscape.
Why Do Current IR Playbooks Fail Against Post-Quantum Ransomware and Wipers?
Current IR playbooks assume decryption is possible if you can get the key — through negotiation, a law enforcement seizure, or the No More Ransom Project. That assumption fails in both 2026 scenarios, but for different reasons.
The PQC closure. ML-KEM/Kyber1024 (NIST FIPS 203) is the same post-quantum key encapsulation standard governments are using for classified communications. When Kyber ransomware wraps its AES-256-CTR file encryption key with Kyber1024, the resulting ciphertext cannot be decrypted without the attacker’s private key — by any classical or quantum computer available on current timelines.
💡 ML-KEM (Module Lattice-Based Key Encapsulation Mechanism) is the NIST-standardised post-quantum algorithm also known as Kyber. It protects encrypted keys using mathematical problems involving lattices that quantum computers have no proven advantage solving.
The wiper closure. VECT’s nonce flaw is a coding error, plain and simple. For files above 128 KB, VECT encrypts four chunks using four freshly generated nonces — but saves only the final nonce to disk. The first three are silently discarded. Check Point Research confirmed in April 2026 that this flaw exists across every known VECT release. At 128 KB, we’re talking about routine documents and mailboxes — not just VM disks.
What established frameworks don’t cover. The CISA #StopRansomware Guide and the CCCS Ransomware Playbook (ITSM.00.099) give you solid IR structure: containment, evidence preservation, law enforcement notification, backup restoration. But neither was written for scenarios where decryption is structurally impossible. The No More Ransom Project is irrelevant when no key can help you.
What Are the Two Scenarios, and How Do They Differ?
Scenario 1 — Genuine Post-Quantum Encryption (Kyber Windows variant). AES-256-CTR encrypts your files; the AES key is wrapped with ML-KEM1024 and X25519. Rapid7 confirmed the cryptographic implementation in April 2026. A limited negotiation path exists in parallel with backup restoration.
Scenario 2 — Wiper-Disguised-as-Ransomware (VECT). Files at or below 128 KB are fully decryptable. Files above 128 KB had the first three of four encryption nonces permanently discarded — the data in those chunks is mathematically irrecoverable, regardless of key or operator intent. The negotiation track closes immediately.
Watch out for false PQC claims. Kyber’s ESXi variant markets itself as post-quantum in the ransom note but actually uses ChaCha8 and RSA-4096. Rapid7 confirmed the cryptographic claims are inconsistent across variants. The encrypted file extension .xhsyw (versus .#~~~ for Windows) is the key IOC. Treat the ESXi variant as classical RSA ransomware for decryption feasibility purposes.
Both scenarios share detection indicators and both immediately target Volume Shadow Copies. The response to anti-recovery behaviour is the same in either case; the response to the encryption itself diverges sharply.
Both scenarios are analysed in depth in the companion articles: Kyber: the genuine PQC ransomware case study and VECT: the wiper IR scenario.
How Do You Determine Which Scenario You Are In?
Decryption feasibility assessment is the first IR decision gate — and it runs in parallel with containment, not after it. Complete it as a formal checklist and document the output. You’ll need it for legal and insurance purposes.
Step 1 — Identify the ransomware family. Check extensions and ransom note filenames: Kyber Windows (.#~~~, READ_ME_NOW.txt); Kyber ESXi (.xhsyw); VECT (.vect, !!!READ_ME!!!.txt). Cross-reference against Rapid7’s Kyber analysis and Check Point Research’s VECT analysis (both published April 2026). Unknown family: treat it as genuine PQC until proven otherwise — this preserves negotiation options while backup restoration proceeds.
Step 2 — Assess encryption scope. VECT’s 128 KB threshold is the deciding factor. Run a file-size distribution analysis. If the majority of encrypted files exceed 128 KB — which they will in any real-world dataset — you’re likely in Scenario 2.
Step 3 — Check for nonce-flaw indicators. If files above 128 KB fail to decrypt or decrypt to garbage, escalate to a forensic examiner for nonce-flaw confirmation. This is the technical threshold for closing the negotiation track.
Step 4 — Verify backup availability and integrity. Is your immutable or air-gapped backup copy intact and verified? If yes, backup restoration is the primary recovery path regardless of scenario — and that changes the negotiation calculus immediately.
Step 5 — Assess attacker credibility. Does the group have a documented history of providing working decryptors? In Scenario 2, no working decryptor for large files can exist. HivePro confirmed it plainly: “Organisations that pay the VECT ransom demand cannot recover their data even after receiving the decryption key.”
Output: A written document stating (a) scenario type, (b) file recoverability estimate by file-size tier, (c) recommended response track, and (d) who authorised the determination.
Who decides? The decryption feasibility assessment must be authorised by the CISO, or a designated incident commander nominated in writing before an incident occurs. This decision commits your organisation to a response track with legal and financial consequences. It cannot be resolved ad hoc during an active incident.
How Do You Respond to Genuine Post-Quantum Encryption (Scenario 1: Kyber)?
Applies to: Kyber Windows variant (genuine ML-KEM/Kyber1024). Not to Kyber ESXi — treat that as classical RSA.
First hour: Isolate affected systems. Preserve volatile memory (RAM) where a forensic team is available. Document the discovery timestamp. Notify the incident commander.
Run three tracks simultaneously — not one after the other.
Track 1 — Backup restoration. Validate immutable or air-gapped backup integrity before restoring. Don’t restore to a compromised environment without eradication first. Verify backup dates against the last-known-clean state.
Track 2 — Negotiation assessment. If backups are incomplete and the attacker has a documented history of providing working decryptors, negotiation may be warranted. Engage a specialist ransomware negotiation firm — do not communicate directly with the attacker. Document every decision. Share all attacker communications with law enforcement.
Track 3 — Law enforcement. Notify FBI/IC3 and CISA within 24 hours regardless of your negotiation posture.
The harvest-now/decrypt-later closure. There is no future technology that changes this. Some victims of classical ransomware hold encrypted drives for years hoping for breakthroughs. That option does not exist with genuine ML-KEM/Kyber1024. Communicate this clearly to leadership before anyone starts discussing extended negotiation timelines.
Anti-recovery confirmation. Kyber Windows runs an anti-recovery sequence with elevated privileges: VSS deletion, bcdedit changes, wbadmin deletion, wevtutil log clearing. If these appear in your EDR or SIEM logs, shadow copies and the Windows Recovery Environment are already gone. The immutable backup tier is your only local recovery option.
How Do You Respond When Ransomware Is Effectively a Wiper (Scenario 2: VECT)?
Applies to: VECT nonce flaw confirmed across Windows, Linux, or ESXi variants.
Close the negotiation track. The moment your decryption feasibility assessment confirms the nonce flaw, negotiation ends. Ransom payment, legal review of payment options, attacker communications — all of it is waste. The operator cannot provide what was destroyed at the moment of encryption.
Who authorises the closure? The CISO or designated incident commander authorises closure based on the written feasibility assessment. Legal counsel must be involved before any external communication.
What replaces the negotiation track:
Forensic preservation — for law enforcement, insurance, and potential civil recovery. Do not wipe affected systems before forensic imaging.
Backup restoration — from the immutable or air-gapped tier; remediate VECT persistence before any restore.
Stakeholder communications — internal briefings first, then regulatory notification and client communications only after coordinating with legal counsel.
VECT-specific: Safe Mode boot persistence. VECT configures Windows to boot into Safe Mode and registers itself to run on that boot, bypassing AV and EDR. Revert the boot configuration and remove the Safe Mode executable registration before any restoration.
Communicating technical impossibility. Be ready to explain this in plain language: “The encryption keys for large files were discarded by the attacker’s own code. No payment will recover those files.” Your leadership, board, and clients will need to understand this is a technical impossibility — not a negotiating failure.
Double-extortion remains active. VECT operates a Tor-hosted data leak site. Exfiltration scope assessment and regulatory notification obligations continue independently of the recovery decision.
What Backup Architecture Survives Both Scenarios?
The 3-2-1-1-0 backup rule gives each copy a specific job to do against ransomware that actively hunts backup systems. Here’s what each element actually does.
3 — Three copies. Primary plus two backups. If one backup is compromised, another exists.
2 — Two media types. Local disk plus cloud, or local disk plus tape. Prevents single-vendor failure. Kyber Windows terminates backup services by name before encryption runs — a single-vendor solution is a single point of failure.
1 — One offsite copy. Geographically separate from production. Protects against site-level disasters and limits how far lateral movement can reach.
1 — One immutable or air-gapped copy. This is the tier that ransomware with compromised admin credentials cannot defeat. An immutable backup uses write-once-read-many (WORM) storage — it can’t be modified, encrypted, or deleted even by an administrator account. An air-gapped copy is physically or logically disconnected from all networks.
💡 WORM (Write-Once-Read-Many) storage allows data to be written once and read many times, but never modified or deleted — making it resistant to ransomware operating with compromised admin credentials.
Both Kyber and VECT specifically target shadow copies (VSS) and connected backup systems using elevated credentials. Only the immutable or air-gapped copy resists this. Shadow copies are not immutable backups — both families target them as one of their first anti-recovery actions.
0 — Zero errors on restore testing. Run a full restore of a representative sample to an isolated test environment at minimum quarterly. Record the test date, files restored, and integrity verification result. That record becomes evidence in insurance claims.
SMB-accessible options: AWS S3 Object Lock, Azure Blob immutability, and Backblaze B2 Object Lock provide WORM storage at accessible cost. For a physical air-gap: offline tape or external drives rotated off-site weekly. For VMware ESXi and Hyper-V environments, test restoration at the VM level — Kyber specifically targets the ESXi volume store.
What Detection Indicators Signal Anti-Recovery Operations?
Catching these commands before encryption completes may allow containment. After the fact, they confirm scope and guide forensic work. Monitor via EDR, Sysmon Event ID 1, or Windows Security Event 4688.
Shared indicators (both Kyber and VECT): Alert on vssadmin.exe with shadow copy deletion arguments. Alert on wevtutil.exe clearing System, Security, and Application event logs. Alert on net stop commands targeting backup and AV service name patterns.
Kyber-specific indicators: Alert on bcdedit.exe disabling the Windows Recovery Environment, wbadmin.exe deleting the Windows backup catalogue, and wmic.exe issuing shadow copy delete commands. Privilege escalation by suspicious processes is an early warning — the anti-recovery sequence requires elevated credentials.
VECT-specific indicators: Alert on bcdedit.exe configuring Safe Mode boot, and PowerShell commands disabling Windows Defender. Monitor for unexpected Safe Mode boot configuration changes in the Windows registry. VECT creates a persistence mechanism where Kyber disables recovery — they use bcdedit for different purposes.
False positive management. These are all legitimate system tools. Alert when they execute outside approved maintenance windows, from unexpected parent processes, or in rapid sequence.
Post-incident forensic use. If wevtutil log clearing didn’t complete before containment, event logs provide a forensic timeline for law enforcement. Preserve exports with chain-of-custody documentation before any remediation.
When and How Do You Engage Law Enforcement, and When Should You Stop Negotiating?
Law enforcement is a parallel track — not something you do post-incident. Notify FBI/IC3 and CISA within 24 hours of confirmed ransomware activity. Canadian organisations notify the CCCS and the Canadian Anti-Fraud Centre. Notification doesn’t require a payment decision and it doesn’t delay your other IR tracks.
Evidence preservation before remediation: Volatile evidence first — RAM contents, Windows Security logs, and firewall log buffers are lost on power-down. System image all affected devices. Collect all attacker communications verbatim. Document chain of custody for everything.
Scenario 1 (PQC ransomware) — negotiation may proceed in parallel. Share all attacker communications with law enforcement; they may identify the group and inform your strategy. Confirm sanction status with legal counsel before any payment — the CCCS notes it may be unlawful under sanctions, terrorism financing, or money laundering legislation.
Scenario 2 (VECT wiper) — stop negotiating. Document the decision with the technical evidence, share it with legal counsel and your cyber insurance carrier, and communicate it to any negotiation firm without delay.
CCCS data puts things bluntly: only 46% of organisations that pay ransoms successfully recover their data, and 80% experience a subsequent attack. In Scenario 2, the payment success rate for large files is zero.
Regulatory notification runs independently. Irrecoverable data destruction triggers mandatory notification under GDPR, HIPAA, and applicable breach notification laws — regardless of your recovery outcome. Coordinate between incident commander, legal counsel, and communications team before making any external statement.
For the prevention layer that reduces how often you reach this point, identity-first prevention reducing IR frequency — including MFA on VPN and Zero Trust Network Access — addresses the credential-based initial access that both Kyber and VECT relied on. For the broader context of why these threats are appearing now, see the complete quantum-AI ransomware mutation overview.
Frequently Asked Questions
What is post-quantum ransomware and does it mean my files can never be recovered?
Not necessarily. If your immutable or air-gapped backup is intact, recovery proceeds normally. What’s permanently closed is the harvest-now/decrypt-later path — there’s no future quantum computer breakthrough that helps victims of ML-KEM/Kyber1024 encryption. Your recovery depends on your backup architecture, not on decryption strength.
What is the difference between a ransomware attack and a wiper attack, and why does it matter for IR?
A ransomware attack promises decryption on payment. A wiper irreversibly destroys data. VECT functions as a wiper for files above 128 KB — a nonce-handling bug discarded the decryption keys at the moment of encryption. In IR terms, this closes the negotiation track immediately and shifts all resources to forensic preservation and backup restoration.
Can I use the No More Ransom Project to recover files from Kyber or VECT?
No. The No More Ransom Project works when law enforcement seizes attacker keys. For Kyber’s Windows variant, no classical or quantum computer can reconstruct the private key without attacker cooperation. For VECT large-file victims, no decryptor can exist — the nonces were permanently discarded. No More Ransom only helps with classical ransomware families.
What happens if we pay VECT ransomware and still can’t recover our files?
The ransom is gone and the files stay irrecoverable. The attacker’s own code destroyed the nonces at the moment of encryption — they genuinely cannot provide what they don’t have. This is exactly why decryption feasibility assessment has to happen before any payment decision.
How do I know if my IR playbook covers post-quantum ransomware scenarios?
Check for two gaps: (1) does it include a decryption feasibility assessment that differentiates genuine PQC, false PQC claims, and wiper scenarios? (2) does it specify who is authorised to declare negotiation futile, and on what evidence? If either is absent, it needs updating.
What is the 3-2-1-1-0 backup rule and how is it different from 3-2-1?
The 3-2-1 rule — three copies, two media types, one offsite — predates ransomware as a dominant threat. Under 3-2-1, backups can be encrypted or deleted just like production data. The additional “1” adds an immutable or air-gapped copy that a compromised admin account cannot touch. The “0” adds verified restore testing — a backup that’s never been tested is not a reliable asset.
What detection rules should I add to my SIEM to catch anti-recovery commands?
Alert on process creation events (Sysmon Event ID 1 or Windows Security Event 4688) for vssadmin.exe with shadow deletion arguments, bcdedit.exe changing recovery or safe boot settings, wevtutil.exe clearing logs, and wbadmin.exe with delete arguments. Tune to fire outside approved maintenance windows, from unexpected parent processes, or in rapid sequence. Safe Mode configuration changes need a separate alert.
When should I contact the FBI or CISA during a ransomware incident?
Within the first 24 hours — before any payment decision, regardless of negotiation intent. Early notification gives law enforcement the best opportunity to act. Delayed notification limits their options and can affect your cyber insurance coverage.
How should I communicate to clients or regulators that data cannot be recovered?
Shift your communications from “we are working to restore access” to “certain data has been irreversibly destroyed.” Coordinate between incident commander, legal counsel, and communications team before making any external statement. Regulatory notification obligations apply regardless of recovery outcome — irrecoverable destruction of personal data triggers mandatory notification under GDPR, HIPAA, and applicable breach notification laws.
