0APT vs KryBit: when ransomware gangs leak each other, defenders read the receipts

When two ransomware-as-a-service gangs spent the middle of April leaking each other’s infrastructure, the outcome was a small intelligence dividend for everyone else. The Halcyon Ransomware Research Center has now published the post-mortem, picked up by Dark Reading on 28 April. Two newer outfits — 0APT and KryBit — emerged from the feud with their operations exposed, their leak sites defaced, and in 0APT’s case, the convenient revelation that almost everything it had ever claimed was made up.

0APT showed up in late January with a near-200-name leak-site list that looked too neat. Researchers at the time judged most of it fabricated but couldn’t quite prove it. The group went quiet for two and a half months, came back in mid-April, and started posting other ransomware gangs as victims — KryBit, Everest, RansomHouse. The Everest “leak” turned out to be a database dump with the interesting fields encoded and hashed; nothing usable. RansomHouse data was promised, never appeared.

KryBit, which had been operating only since late March under an 80/20 affiliate split with builders for Windows, Linux, ESXi and NAS, did not take this in good humour. By 14 April it had breached 0APT, exfiltrated the full operational data set, and replaced the 0APT leak site with a defacement that read “Next time, don’t play with the big boys.” The dumped data — full access logs, PHP source, system files — confirmed in writing what researchers had suspected: not one of the 190-plus victims 0APT had posted in January was real. No data exfiltration. No encryption. The list was purely marketing.

The KryBit data dump cuts the other way too. Halcyon’s count, drawn directly from the exposed admin panel, puts the operation at two administrators, five affiliates, twenty potential victims, and ransom demands sitting between $40,000 and $100,000. That’s the kind of baseline sizing data security teams normally have to guess at when management asks how big this gang is. Now there’s a number.

Three things worth taking away.

First, leak-site counts are not victim counts. The mainstream ransomware trackers that aggregate by leak-site mentions — including some of the dashboards security press cites by month — were counting 0APT’s January posts as compromises with no validation. They were not compromises. If your threat-intelligence feed is pulling from leak-site mentions and reporting them as breached organisations, that pipeline now has a known false-positive baseline. Adjust the weighting accordingly, especially for new, unproven brands.

Second, this is what RaaS economics look like at the small end. A handful of operators, a handful of affiliates, ransom demands that will not make headlines but will absolutely break a mid-market manufacturer or a regional council. The press loves the eight-figure demands; most extortion lives down here in five. If your incident-response retainer assumes a Conti-shaped adversary because that’s what the slides at the conference showed, the next call is more likely to come from someone like KryBit. The kit is generic, the affiliate count is small, the demand fits a cyber-insurance excess.

Third, both of these brands are functionally over. Halcyon expects them to rebuild and rebrand, which is what every burnt RaaS operation has done since DarkSide became BlackMatter became ALPHV became RansomHub. The names rotate; the tooling, the affiliates and the operational habits do not. If your detection rules are scoped by gang name, you’re rewriting them every quarter. Scope them on behaviour — the initial-access patterns through exposed remote-management tools, the same handful of LOLBin staging sequences, data staging into a sanctioned cloud bucket before exfiltration — and the rebrand cycle becomes a labelling problem rather than a coverage problem.

The intel dividend from a feud like this is genuinely rare. Defenders almost never get to see the inside of a RaaS admin panel — affiliate counts, the victim pipeline, where the demands actually land. Treat it as the free CTI windfall it is, lift the indicators of compromise Halcyon published into the relevant pipelines, and make a note that the next 0APT will be called something else by Q3.