Feuding Ransomware Groups Leak Each Other's Data TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsСloud SecurityHackers Use AI for Exploit Development, Attack AutomationHackers Use AI for Exploit Development, Attack AutomationbyAlexander CulafiMay 11, 20264 Min ReadСloud SecurityAfter Replacing TeamPCP Malware, 'PCPJack' Steals Cloud SecretsAfter Replacing TeamPCP Malware, 'PCPJack' Steals Cloud SecretsbyNate NelsonMay 7, 20265 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryThreat IntelligenceCybersecurity OperationsCyberattacks & Data BreachesData PrivacyNewsFeuding Ransomware Groups Leak Each Other's DataWhen 0APT and KryBit attacked each other, they exposed infrastructure and operational data, giving defenders rare insight into ransomware operations.Alexander Culafi,Senior News Writer,Dark ReadingApril 28, 20264 Min ReadSource: Sergio Azenha via Alamy Stock PhotoWhen ransomware actors start attacking each other, who wins? Maybe defenders do. The Halcyon Ransomware Research Center published a blog post recently, primarily covering two newer ransomware-as-a-service (RaaS) actors: 0APT and KryBit. While neither has made a name for themselves to date, the two outfits found themselves embroiled in a feud that appears to have left both in shambles.0APT emerged in late January with a list of nearly 200 victims posted to its data leak blog over the course of a week. This list was widely regarded as fabricated because of a lack of evidence pointing toward victim compromises, though Halcyon assessed 0APT did use functioning encryptors. The actor failed to pick up traction, or affiliates, and went quiet for months, researchers said.Then in mid-April, 0APT reemerged, deleting its previous list of fake victims while claiming ransomware attacks against ransomware operators including KryBit, Everest (active since 2020), and RansomHouse (active since 2021). The latter two, Halcyon said, are much more established. Related:From Stuxnet to ChatGPT: 20 News Events That Shaped CyberKryBit emerged in late March, offering RaaS kits targeting Windows, Linux, ESXi, and network-attached storage (NAS) devices, using an 80/20 affiliate model (where the RaaS affiliate keeps 80% of ransom payments and KryBit keeps 20%). The group published 10 legitimate victims in its first two weeks. Contrary to the phony aspect of the initial victim list, 0APT's comeback strategy is slightly more rooted in reality. 0APT published a joint listing for Everest and RansomHouse, posting an SQL database belonging to the former with encoded and hashed database records spanning the first nine months of 2025. There was no plaintext in critical fields, and while RansomHouse was mentioned in the listing, no RansomHouse data was included in the leak. Ransomware Actions Have Ransomware ConsequencesErika Totaro, intelligence analyst with the Halcyon Ransomware Research Center, tells Dark Reading that 0APT's unique tactic may have been a play for attention."When your credibility in a criminal marketplace depends on proven victims and ransom payments, and you have neither, you have to find another way to make noise," she says. "Exposing a rival's admin panels, affiliate data, and victim negotiations is how you buy credibility when you have no actual victims to show for yourself. These gangs are motivated entirely by financial gain, and they will expose, extort, or undercut each other without hesitation."Everest has not publicly retaliated or made any public acknowledgement to date. Related:Exploit Cyber-Frenzy Threatens Millions via Critical cPanel VulnerabilityThat is not the case with KryBit, which had both its infrastructure and personnel exposed. This revealed that KryBit had two administrators, five affiliates, 20 potential victims, and ransom demands between $40,000 and $100,000. In response to its data leaking, KryBit breached and exfiltrated 0APT's infrastructure, listed the latter as a victim, and left a message on 0APT's leak site: "Next time, don't play with the big boys.""KryBit leaked the full 0APT operational data set the following day, which included full access logs, PHP source code, and system files. The access logs revealed that the 190+ victims initially posted by 0APT in January 2026 were entirely fabricated and no data was ever exfiltrated from any of the listed victims," the researchers said. "0APT has been unable to recover, and KryBit maintains defacement of the 0APT leak site."Ransomware Gang WarsAs Halcyon put it, both operators will likely have to rebuild, rebrand, and create new infrastructure in order to recover from this. Ransomware operator feuds are not unheard of, though they rarely take shape in the way seen here. Feuds often form among ransomware operators and affiliates, either due to disagreements or possible scamming.Related:Vect 2.0 Ransomware Acts as Wiper, Thanks to Design ErrorTotaro says gang feuds are a net positive for defenders. For one, they offer defenders a window into operations, giving security professionals the chance to prepare for future attacks."When operators reconstitute or affiliates migrate to a new service, their tactics, techniques, and procedures travel with them. The tooling changes; the behavior largely does not," she explains. "That overlap is exactly what defenders can alert on. So while the drama between these groups may look chaotic, the intelligence value of what gets exposed in these moments is real and actionable."The blog post contains indicators of compromise. For defenders, Halcyon recommends monitoring for signs of data staging and exfiltration, validating backup integrity, and deploying anti-ransomware defenses. The post also highlighted that while 0APT's victim list has been fraudulent, KryBit and Everest should be treated as legitimate threats.About the AuthorAlexander CulafiSenior News Writer, Dark ReadingAlex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels.See more from Alexander CulafiWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security Management2025 State of MalwareAccess More ResearchWebinarsThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspacePrompt Injection Is Just the Start: Securing LLMs in AI SystemsAnatomy of a Data Breach: What to Do if it Happens to YouHow Well Can You See What's in Your Cloud?Implementing CTEM: Beyond Vulnerability ManagementMore WebinarsEditor's ChoiceThreat IntelligenceFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberbyDark Reading Editorial TeamMay 6, 202631 Min ReadCyber RiskPhysical Cargo Theft Gets a Boost From CybercriminalsPhysical Cargo Theft Gets a Boost From CybercriminalsbyRobert LemosMay 4, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeRSAC 2026: key news & insightsAt RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much moreGet Your RecapWebinarsThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspaceWed, June 24,2026 at 1pm ESTPrompt Injection Is Just the Start: Securing LLMs in AI SystemsTues, May 26, 2026, at 1pm ESTAnatomy of a Data Breach: What to Do if it Happens to YouJune 18th, 2026 | 11:00am -5:00pm ET | Doors Open at 10:30am ETHow Well Can You See What's in Your Cloud?Thurs, June 4, 2026 at 1:00pm ESTImplementing CTEM: Beyond Vulnerability ManagementThurs, May 21, 2026 at 1pm ESTMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASSDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

The escalating conflict between ransomware groups 0APT and KryBit highlights a concerning trend within the cybercriminal landscape: increasingly aggressive and disruptive attacks fueled by notoriety and operational disruption. As detailed by Dark Reading’s Alexander Culafi, this feud, stemming from 0APT’s initial fabricated victim list and subsequent retaliatory actions by KryBit, showcases a desperate scramble for credibility and influence within the ransomware-as-a-service (RaaS) market. The core narrative revolves around 0APT’s initial attempt to establish a presence through a misleading victim database, followed by KryBit’s more substantive attacks exposing 0APT’s operational vulnerabilities and infrastructure. KryBit's strategy of leaking not only 0APT's data but also administrator access logs and source code further solidified its foothold. This exchange of information, compounded by KryBit’s breach and defacement of 0APT’s leak site, effectively dismantled 0APT’s operation. Erika Totaro of the Halcyon Ransomware Research Center emphasizes that these gang feuds, though chaotic, offer invaluable intelligence for defenders. The overlap in tactics, techniques, and procedures—particularly regarding toolsets—that emerges during these confrontations is a critical indicator that security professionals can monitor. Ultimately, this conflict demonstrates the lengths to which ransomware operators will go to gain recognition and success, reflecting a competitive environment where disruption and exposure are deemed as valuable as encryption. The situation also underscores the importance of proactive threat intelligence and vigilance, particularly regarding newly emerged RaaS groups, as the actions of 0APT and KryBit will likely influence the broader operational strategies of the ransomware community.