Two post-quantum stories collided in 2026: new ransomware families adopting post-quantum ciphers so their encryption can never be broken, and “harvest-now-decrypt-later” adversaries stockpiling today’s encrypted data to crack once quantum computers mature.
The two threats
- PQC ransomware. If a crew encrypts with a quantum-resistant scheme, future cryptanalysis cannot rescue victims — closing a theoretical escape hatch.
- Harvest-now-decrypt-later (HNDL). Long-lived secrets (health records, state data, IP) stolen and encrypted today can be decrypted later when RSA/ECC fall to quantum. Data with a 10-year sensitivity window is already at risk now.
The standards that matter
NIST finalised the first post-quantum standards: FIPS 203 (ML-KEM) for key encapsulation, FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA) for signatures. These are the algorithms to migrate toward.
What to do this year
- Build a cryptographic inventory. You cannot migrate what you have not catalogued — find every use of RSA/ECC across TLS, VPNs, code-signing, and data-at-rest.
- Prioritise long-lived data for hybrid (classical + PQC) key exchange first; HNDL hits long-sensitivity data hardest.
- Adopt crypto-agility — design systems so algorithms can be swapped without re-architecting.
- Track vendor PQC roadmaps for your TLS terminators, HSMs, and VPNs.
RingSafe helps Indian organisations build a crypto inventory and a pragmatic PQC migration plan. Start the conversation.
Worried about your exposure?
Get a free attack-surface review
We check what an attacker would see about your business — leaked credentials, exposed services, dark-web mentions. 30 minutes, no obligation.
Book exposure review
Replies in 4 working hrs · India-only · Senior consultants