Feuding Ransomware Groups Leak Each Other's Data

THREAT INTELLIGENCE CYBERSECURITY OPERATIONS CYBERATTACKS & DATA BREACHES DATA PRIVACY NEWS Feuding Ransomware Groups Leak Each Other's Data When 0APT and KryBit attacked each other, they exposed infrastructure and operational data, giving defenders rare insight into ransomware operations. Alexander Culafi,Senior News Writer,Dark Reading April 28, 2026 4 Min Read SOURCE: SERGIO AZENHA VIA ALAMY STOCK PHOTO When ransomware actors start attacking each other, who wins? Maybe defenders do.  The Halcyon Ransomware Research Center published a blog post recently, primarily covering two newer ransomware-as-a-service (RaaS) actors: 0APT and KryBit. While neither has made a name for themselves to date, the two outfits found themselves embroiled in a feud that appears to have left both in shambles. 0APT emerged in late January with a list of nearly 200 victims posted to its data leak blog over the course of a week. This list was widely regarded as fabricated because of a lack of evidence pointing toward victim compromises, though Halcyon assessed 0APT did use functioning encryptors. The actor failed to pick up traction, or affiliates, and went quiet for months, researchers said. Then in mid-April, 0APT reemerged, deleting its previous list of fake victims while claiming ransomware attacks against ransomware operators including KryBit, Everest (active since 2020), and RansomHouse (active since 2021). The latter two, Halcyon said, are much more established.  Related:North Korea's Lazarus Targets macOS Users via ClickFix KryBit emerged in late March, offering RaaS kits targeting Windows, Linux, ESXi, and network-attached storage (NAS) devices, using an 80/20 affiliate model (where the RaaS affiliate keeps 80% of ransom payments and KryBit keeps 20%). The group published 10 legitimate victims in its first two weeks.  Contrary to the phony aspect of the initial victim list, 0APT's comeback strategy is slightly more rooted in reality. 0APT published a joint listing for Everest and RansomHouse, posting an SQL database belonging to the former with encoded and hashed database records spanning the first nine months of 2025. There was no plaintext in critical fields, and while RansomHouse was mentioned in the listing, no RansomHouse data was included in the leak.  Ransomware Actions Have Ransomware Consequences Erika Totaro, intelligence analyst with the Halcyon Ransomware Research Center, tells Dark Reading that 0APT's unique tactic may have been a play for attention. "When your credibility in a criminal marketplace depends on proven victims and ransom payments, and you have neither, you have to find another way to make noise," she says. "Exposing a rival's admin panels, affiliate data, and victim negotiations is how you buy credibility when you have no actual victims to show for yourself. These gangs are motivated entirely by financial gain, and they will expose, extort, or undercut each other without hesitation." Everest has not publicly retaliated or made any public acknowledgement to date.  Related:Tropic Trooper APT Takes Aim at Home Routers, Japanese Targets That is not the case with KryBit, which had both its infrastructure and personnel exposed. This revealed that KryBit had two administrators, five affiliates, 20 potential victims, and ransom demands between $40,000 and $100,000.  In response to its data leaking, KryBit breached and exfiltrated 0APT's infrastructure, listed the latter as a victim, and left a message on 0APT's leak site: "Next time, don't play with the big boys." "KryBit leaked the full 0APT operational data set the following day, which included full access logs, PHP source code, and system files. The access logs revealed that the 190+ victims initially posted by 0APT in January 2026 were entirely fabricated and no data was ever exfiltrated from any of the listed victims," the researchers said. "0APT has been unable to recover, and KryBit maintains defacement of the 0APT leak site." Ransomware Gang Wars As Halcyon put it, both operators will likely have to rebuild, rebrand, and create new infrastructure in order to recover from this.  Ransomware operator feuds are not unheard of, though they rarely take shape in the way seen here. Feuds often form among ransomware operators and affiliates, either due to disagreements or possible scamming. Related:Africa Relinquishes Cyberattack Lead to Latin America — For Now Totaro says gang feuds are a net positive for defenders. For one, they offer defenders a window into operations, giving security professionals the chance to prepare for future attacks. "When operators reconstitute or affiliates migrate to a new service, their tactics, techniques, and procedures travel with them. The tooling changes; the behavior largely does not," she explains. "That overlap is exactly what defenders can alert on. So while the drama between these groups may look chaotic, the intelligence value of what gets exposed in these moments is real and actionable." The blog post contains indicators of compromise. For defenders, Halcyon recommends monitoring for signs of data staging and exfiltration, validating backup integrity, and deploying anti-ransomware defenses. The post also highlighted that while 0APT's victim list has been fraudulent, KryBit and Everest should be treated as legitimate threats. About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports The Total Economic Impact™ Of Google SecOps AI-driven SecOps: Transforming Financial Services Security The Agentic SOC: Exploring the Practitioner Mindset as AI Permeates SecOps AI-driven SecOps: Transforming Financial Services Security The Agentic SOC: Exploring the Practitioner Mindset as AI Permeates SecOps Access More Research Webinars How Well Can You See What's in Your Cloud? Implementing CTEM: Beyond Vulnerability Management Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Tips for Managing Cloud Security in a Hybrid Environment? Zero Trust Architecture for Cloud environments: Implementation Roadmap More Webinars You May Also Like THREAT INTELLIGENCE Hackers Target Cybersecurity Firm Outpost24 in 7-Stage Phish by Jai Vijayan MAR 17, 2026 THREAT INTELLIGENCE Iran's Cyber-Kinetic War Doctrine Takes Shape by Alexander Culafi MAR 06, 2026 THREAT INTELLIGENCE React2Shell Exploits Flood the Internet as Attacks Continue by Rob Wright DEC 12, 2025 THREAT INTELLIGENCE Chinese Gov't Fronts Trick the West to Obtain Cyber Tech by Nate Nelson, Contributing Writer OCT 06, 2025 Editor's Choice СLOUD SECURITY Navigating the Unique Security Risks of Asia's Digital Supply Chain byAlexander Culafi APR 15, 2026 3 MIN READ CYBERATTACKS & DATA BREACHES Stuxnet, The Prequel: Earlier Version Of Cyberweapon Discovered byKelly Jackson Higgins FEB 26, 2013 5 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars How Well Can You See What's in Your Cloud? THURS, JUNE 4, 2026 AT 1:00PM EST Implementing CTEM: Beyond Vulnerability Management THURS, MAY 21, 2026 AT 1PM EST Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning MON, MAY 11, 2026 AT 1:00PM ET Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST More Webinars White Papers 7 best practices for secrets lifecycle management Reinventing the SOC with agentic AI Enhancing SecOps with Google Threat Intelligence Enhancing SecOps with Google Threat Intelligence Enhancing SecOps with Google Threat Intelligence Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS