Two ransomware groups, 0APT and KryBit, suffered mutual infrastructure damage after leaking each other's operational data online, with 0APT's credibility taking the heavier blow.
What happened
The conflict began when 0APT published data from three ransomware groups on its leak site, newcomer KryBit, RansomHouse, and the Everest Group. The leak exposed KryBit's administrator panel, which contained data on its primary operators, affiliates, and victim negotiations. The activity covered March 28 through April 12, 2026. At the time of the leak, KryBit had two administrators, five affiliates, and 20 potential victims, with ransom demands ranging from $40,000 to $100,000 and between 10–250GB of data taken per victim.
KryBit retaliated by hacking 0APT, stealing its operational data and defacing its leak site. The counterattack revealed that 0APT's 190+ claimed victims from January 2026 were fabricated, meaning no data was actually stolen. 0APT has not recovered, and KryBit's defacement of its site remains active.
What was said
Former Barclays CISO and Halcyon chief strategy officer Oliver Newbury tied the conflict to broader financial pressure in the ransomware ecosystem, by stating,"These groups depend on credibility to survive, so when that starts to crack, rivals move fast to expose it."
Newbury added, "We're now seeing them disrupt each other's operations, taking over infrastructure and undermining campaigns in real time. It creates instability, but not safety. The ecosystem doesn't shrink, it reshapes, often becoming harder to predict in the process."
By the numbers
- KryBit had 2 administrators and 5 affiliates at time of the leak
- KryBit listed 20 potential victims, with ransom demands of $40,000–$100,000 per victim
- Data exfiltrated per KryBit victim ranged from 10–250GB
- 0APT claimed 190+ victims in January 2026, all fabricated, per its own leaked logs
- Crypto payments to ransomware actors dropped 8% in 2025 to $820 million, even as the number of ransomware attacks increased by 50%
Why it matters
If a group can list 190+ fictional victims and operate its leak site off an Android phone, the barrier to entry in ransomware is lower than defenders might assume and threat intelligence based on claimed victim counts may be unreliable.
For healthcare organizations and other high-value ransomware targets, this is a reminder that attacks are not executed by a stable hierarchy of known actors. As Newbury noted, when groups collapse under pressure they don't disappear, they rebrand and resurface, often in less predictable forms. Attributing attacks, assessing actor credibility, and tracking infrastructure all become harder when groups routinely fabricate history and rebuild from scratch.
The bottom line
Organizations should treat the reshaping of ransomware groups as a reason to strengthen defenses, before new and harder-to-track actors establish themselves. Reviewing vendor and partner security relationships, maintaining offline backups, and monitoring for early breach indicators remain the most reliable defenses regardless of which group is currently active.
FAQs
What is a ransomware affiliate?
A ransomware affiliate is a third-party operator who partners with a ransomware group, using their tools and infrastructure in exchange for a cut of any ransom payments collected.
What is a leak site?
A leak site is a dark web platform that ransomware groups use to publish stolen data and publicly pressure victims into paying a ransom.
What is double-extortion ransomware?
Double-extortion is a tactic where attackers both steal data and encrypt systems, giving them two points of leverage.
Why do ransomware groups care about credibility?
Credibility is how ransomware groups attract affiliates, negotiate higher ransoms, and signal to victims that non-payment will have real consequences.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
