Feuding Ransomware Groups Leak Each Other's Data - Dark Reading

THREAT INTELLIGENCE CYBERSECURITY OPERATIONS CYBERATTACKS & DATA BREACHES DATA PRIVACY NEWS Feuding Ransomware Groups Leak Each Other's Data When 0APT and KryBit attacked each other, they exposed infrastructure and operational data, giving defenders rare insight into ransomware operations. Alexander Culafi,Senior News Writer,Dark Reading April 28, 2026 4 Min Read SOURCE: SERGIO AZENHA VIA ALAMY STOCK PHOTO When ransomware actors start attacking each other, who wins? Maybe defenders do.  The Halcyon Ransomware Research Center published a blog post recently, primarily covering two newer ransomware-as-a-service (RaaS) actors: 0APT and KryBit. While neither has made a name for themselves to date, the two outfits found themselves embroiled in a feud that appears to have left both in shambles. 0APT emerged in late January with a list of nearly 200 victims posted to its data leak blog over the course of a week. This list was widely regarded as fabricated because of a lack of evidence pointing toward victim compromises, though Halcyon assessed 0APT did use functioning encryptors. The actor failed to pick up traction, or affiliates, and went quiet for months, researchers said. Then in mid-April, 0APT reemerged, deleting its previous list of fake victims while claiming ransomware attacks against ransomware operators including KryBit, Everest (active since 2020), and RansomHouse (active since 2021). The latter two, Halcyon said, are much more established.  Related:Russian APT 'Gamaredon' Upgrades Its Arsenal, Requiring New Defenses KryBit emerged in late March, offering RaaS kits targeting Windows, Linux, ESXi, and network-attached storage (NAS) devices, using an 80/20 affiliate model (where the RaaS affiliate keeps 80% of ransom payments and KryBit keeps 20%). The group published 10 legitimate victims in its first two weeks.  Contrary to the phony aspect of the initial victim list, 0APT's comeback strategy is slightly more rooted in reality. 0APT published a joint listing for Everest and RansomHouse, posting an SQL database belonging to the former with encoded and hashed database records spanning the first nine months of 2025. There was no plaintext in critical fields, and while RansomHouse was mentioned in the listing, no RansomHouse data was included in the leak.  Ransomware Actions Have Ransomware Consequences Erika Totaro, intelligence analyst with the Halcyon Ransomware Research Center, tells Dark Reading that 0APT's unique tactic may have been a play for attention. "When your credibility in a criminal marketplace depends on proven victims and ransom payments, and you have neither, you have to find another way to make noise," she says. "Exposing a rival's admin panels, affiliate data, and victim negotiations is how you buy credibility when you have no actual victims to show for yourself. These gangs are motivated entirely by financial gain, and they will expose, extort, or undercut each other without hesitation." Everest has not publicly retaliated or made any public acknowledgement to date.  Related:Local Police Collusion Hampers Crackdown on Asian Scam Centers That is not the case with KryBit, which had both its infrastructure and personnel exposed. This revealed that KryBit had two administrators, five affiliates, 20 potential victims, and ransom demands between $40,000 and $100,000.  In response to its data leaking, KryBit breached and exfiltrated 0APT's infrastructure, listed the latter as a victim, and left a message on 0APT's leak site: "Next time, don't play with the big boys." "KryBit leaked the full 0APT operational data set the following day, which included full access logs, PHP source code, and system files. The access logs revealed that the 190+ victims initially posted by 0APT in January 2026 were entirely fabricated and no data was ever exfiltrated from any of the listed victims," the researchers said. "0APT has been unable to recover, and KryBit maintains defacement of the 0APT leak site." Ransomware Gang Wars As Halcyon put it, both operators will likely have to rebuild, rebrand, and create new infrastructure in order to recover from this.  Ransomware operator feuds are not unheard of, though they rarely take shape in the way seen here. Feuds often form among ransomware operators and affiliates, either due to disagreements or possible scamming. Related:SprySOCKS Windows Variant Abuses Kernel Drivers to Evade Detection Totaro says gang feuds are a net positive for defenders. For one, they offer defenders a window into operations, giving security professionals the chance to prepare for future attacks. "When operators reconstitute or affiliates migrate to a new service, their tactics, techniques, and procedures travel with them. The tooling changes; the behavior largely does not," she explains. "That overlap is exactly what defenders can alert on. So while the drama between these groups may look chaotic, the intelligence value of what gets exposed in these moments is real and actionable." The blog post contains indicators of compromise. For defenders, Halcyon recommends monitoring for signs of data staging and exfiltration, validating backup integrity, and deploying anti-ransomware defenses. The post also highlighted that while 0APT's victim list has been fraudulent, KryBit and Everest should be treated as legitimate threats. About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere.  At Dark Reading, he covers a variety of cybersecurity topics, including the cybercrime ecosystem, open source security, and the intersection between AI and threat actors. In his spare time, Alex hosts the weekly Nintendo podcast, "Talk Nintendo Podcast," and works on personal writing projects, including two previously self-published science fiction novels. He has received numerous awards, including TechTarget's Writer of the Year in 2022 as well as more than 10 Azbee awards for his reporting between 2022 and today.  Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports The total economic impact™ of Snyk How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 Access More Research Webinars Building a Risk Based Vulnerability Management Program Threat Hunting That Gets Big Results Despite Small Budgets Say Yes to AI: Securing Innovation Without Compromise Zero Trust Identity: Beyond Traditional Authentication Advanced Persistent Threats: A Practical Guide to Detection and Response More Webinars Editor's Choice CYBERSECURITY OPERATIONS Do CISOs Need a Code of Ethics? byDark Reading Editorial Team JUN 24, 2026 CYBERSECURITY OPERATIONS 2026 FIFA World Cup Faces Surge in Cyber Threats byAlexander Culafi JUN 24, 2026 3 MIN READ CYBERSECURITY OPERATIONS EU Gets a Head Start in Developing 6G Network Security byNate Nelson JUN 18, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS The premier cybersecurity event returns. GET YOUR PASS