New ransomware group 0APT claims hundreds of victims

A new ransomware group called 0APT emerged late last month claiming roughly 200 victims, but researchers have found no evidence confirming any of the attacks actually occurred.

What happened

0APT appeared online claiming approximately 200 victims within its first week, targeting organizations in healthcare, professional services, technology, transportation and logistics, energy and manufacturing. Most claimed victims are based in the United States. Researchers published reports this week examining the group's claims. Upon investigation, researchers found that alleged victim data samples and the structure of placeholder file trees published by 0APT cast serious doubt on the group's criminal claims. The group's data-leak site briefly went offline before returning with a lower victim count. Despite the fabricated victim claims, researchers confirmed that 0APT does operate functional ransomware infrastructure with cryptographically strong binaries.

What was said

Cynthia Kaiser, senior vice president at Halcyon's ransomware research center, told CyberScoop, "While 0APT is probably bluffing about the victims it has already compromised, it is not bluffing on the technical capabilities of its actual ransomware."

Kaiser added that "even if researchers assess most claimed victims as fabricated, the underlying ransomware payload represents genuine risk to any organization that encounters it."

On the group's likely motivations, Kaiser said, "The group's early claims appear to focus more on gaining visibility and momentum, believing those will recruit affiliates faster than validity."

In the know

Ransomware-as-a-service (RaaS) is a criminal business model in which ransomware developers build and maintain attack infrastructure and then recruit outside operators to carry out actual attacks in exchange for a cut of ransom payments. This model lowers the barrier to entry for cybercriminals and allows ransomware operations to grow.

Why it matters

0APT's primary targets which are healthcare, energy, transportation and logistics are sectors where operational disruption carries life-safety consequences. A ransomware attack on a hospital system doesn't just encrypt files it can directly delay patient care.

The Paubox report on the top three healthcare email attacks in 2025 found that Forrester noted "process failures and human error continue to be a persistent cause of data exposure, particularly when security controls rely on user judgment." Ransomware groups like 0APT exploit exactly that gap, using phishing and credential theft to get inside systems before any encryption ever happens.

The Paubox report also cited Microsoft's Digital Defense Report, which found that "attackers increasingly exploit trust in familiar identities, such as executives and vendors, rather than relying on malicious attachments or links." 0APT's communication style and impersonation-friendly tactics fit within this pattern, making health care organizations that haven't secured their email layer exposed if the group begins targeting real victims.

The bottom line

Healthcare organizations should treat this as an early warning rather than a reason to dismiss the threat. Emails remain the most common entry point for the credential theft and impersonation attacks that ransomware groups depend on to gain initial access. Organizations should review their endpoint detection capabilities, access controls, and inbound email security now.

Related: HIPAA Compliant Email: The Definitive Guide

FAQs

Is 0APT affiliated with any known ransomware groups or nation-state actors?

Researchers have found no obvious lineage or overlap between 0APT and any known ransomware variants or state-sponsored threat actors.

Should organizations notify patients or staff if 0APT lists them as a victim?

Being listed on 0APT's data-leak site does not confirm a breach occurred, so organizations should investigate before triggering formal notification procedures.

What should an organization do if it receives a ransom demand from 0APT?

Organizations should engage their incident response team and legal counsel before taking any action or making contact with the group.